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Chapter 1 



Quantum cryptography 



Cryptography is the art of secrecy. Nearly as old as the art of writing itself, it 
concerns itself with one of the most fundamental problems faced by any society 
whose success crucially depends on knowledge and information: With whom do 
we want to share information, and when, and how much? 

1.1 Introduction 

Starting with the first known encrypted texts from 1900 BC in Egypt |Wikj . cryp- 
tography has a fascinating history |Kah96j . Its goal is simple: to protect secrets 
as best as is physically possible. Following our increased understanding of physi- 
cal processes with the advent of quantum mechanics, Wiesner |Wie8 3] proposed 
using quantum techniques for cryptography in the early 1970's. Unfortunately, 
his groundbreaking work, which contained the seed for quantum key distribu- 
tion, oblivious transfer (as described below), and a form of quantum money, was 
initially met with rejection |Bra05j . In 1982, Bennett, Brassard, Breitbart and 
Wiesner joined forces to publish "Quantum cryptography, or unforgeable subway 
tokens" which luckily found acceptance jBBBW82j . leading to the by now vast 
field of research in quantum key distribution (QKD). Quantum key distribution 
allows two remote parties who are only connected via a quantum channel to gen- 
erate an arbitrarily long secret key that they can then use to perfectly shield their 
messages from prying eyes. The idea is beautiful in its simplicity: unlike with 
classical data, quantum mechanics prevents us from copying an unknown quan- 
tum state. What's more is that any attempt to extract information from such a 
state can be detected! That is, we can now determine whether an eavesdropper 
has been trying to intercept our secrets. Possibly the most famous QKD protocol 
known to date was proposed in 1983 by Bennett and Brassard [BB83] , and is more 
commonly known as BB84 from its 1984 full publication [BB84]- Indeed, many 
quantum cryptographic protocols to date are inspired in some fashion by BB84. 
It saw its first experimental implementation in 1989, when Bennett, Bessette, 
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Brassard, Salvail and Smolin built the first QKD setup covering a staggering 
distance of 32.5 cm |BB89[ lBBB+92j ! In 1991, Ekert proposed a beautiful alter- 
native view of QKD based on quantum entanglement and the violation of Bell's 
theorem, leading to the protocol now known as E91 |Eke91] . His work paved the 
way to establishing the security of QKD protocols, and led to many other inter- 
esting tasks such as entanglement distillation. Since then, many other protocols 
such as B92 |Ben92j have been suggested. Today, QKD and its related problems 
form a well-established part of quantum information, with countless proposals 
and experimental implementations. It especially saw increased interest after the 
discovery of Shor's quantum factoring algorithm in 1994 |Sho97] that renders al- 
most all known classical encryption systems insecure, once a quantum computer is 
built. Some of the first security proofs were provided by Mayers |May96a| , Lo and 
Chau |LC99j . and Shor and Preskill |SPOO] . finally culminating in the wonderful 
work of Renner |Ren05] who supplied the most general framework for proving 
the security of any known QKD protocol. QKD systems are already available 
commercially today ^Qua[ ITecj . The best known experimental implementations 
now cover distances of up to 148.7 km in optical fiber |HRP^06j . and 144 km in 
free space in an experiment conducted between two Canary islands. 





Figure 1.1: Encrypted pottery glaze 
formula, Mesopotamia 1500 BC 



Figure 1.2: QKD today 



Traditional cryptography is concerned with the secure and reliable transmis- 
sion of messages. With the advent of widespread electronic communication, how- 
ever, new cryptographic tasks have become increasingly important. We would 
like to construct secure protocols for electronic voting, online auctions, contract 
signing and many other applications where the protocol participants themselves 
do not trust each other. Two primitives that can be used to construct all such 
protocols are bit commitment and oblivious transfer. We will introduce both 
primitives in detail below. Interestingly, it turns out that despite many initially 
suggested protocols |BBBW82t ICre94j . both primitives are impossible to achieve 
when we ask for unconditional security. Luckily, as we will see in Chapter ITT 
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we can still implement both building blocks if we assume that our quantum op- 
erations are affected by noise. Here, the very problem that prevents us from 
implementing a full-scale quantum computer can be turned to our advantage. 

In this chapter, we give an informal introduction to cryptography in the quan- 
tum setting. We first introduce necessary terminology, before giving an overview 
over the most well-known cryptographic primitives. Since our goal is to give 
an overview, we will restrict ourselves to informal definitions. Surprisingly, even 
definitions themselves turn out to be a tricky undertaking, especially when en- 
tering the quantum realm. Finally, we discuss what makes the quantum setting 
so different from the classical one, and identify a range of open problems. 

1.2 Setting the state 
1.2.1 Terminology 

In this text, we consider protocols among multiple participants Pi, . . . ,Pn, also 
called players. When considering only two players, we generally identify them 
with the protagonists Alice and Bob. Each player may hold a private input, that is 
classical and quantum data unknown to the other players. In addition, the players 
may have access to a shared resource such as classical shared randomness or 
quantum entanglement that has been distributed before the start of the protocol. 
We will refer to any information that is available to all players as public. A subset 
of players may also have access to shared information that is known only to them, 
but not to the remaining players. Such an input is called private shared input. In 
the case of shared randomness, this is also known as private shared randomness. 
The players can be connected by classical as well as quantum channels, and use 
them to exchange messages during the course of the protocol. A given protocol 
consists of a set of messages as well as a specification of actions to be undertaken 
by the players. At the end of the protocol, each player may have a classical as 
well as a quantum output. 

A player is called honest, if he follows the protocol exactly as dictated. He is 
called honest-but-curious, if he follows the protocol, but nevertheless tries to gain 
additional information by processing the information supplied by the protocol in 
a way which is not intended by the protocol. An honest player, for example, will 
simply ignore parts of the information he is given, as he will do exactly as he 
is told. However, a player that is honest-but-curious will take advantage of all 
information he is given, i.e., he may read and copy all messages as desired, and 
never forgets any information he is givenj^ Yet, the execution of the protocol itself 
is unaffected as the player does not change any information used in the protocol, 

""^Note that since an honest-but-curious player never forgets any information, he effectively 
makes a copy of all messages. He will erase his memory needed for the execution of the protocol 
if dictated by the protocol: his copy lies outside this memory. 
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he merely reads it. But what does this mean in a quantum setting? Indeed, 
this question appears to be a frequent point of debate. We will see in Chapter |2] 
that he cannot copy arbitrary quantum information, and extracting non-classical 
information from a quantum state will necessarily lead to disturbance. Evidently, 
disturbance alters the quantum states during the protocol. Hence, the player 
actually took actions to alter the execution of the protocol, and we can no longer 
regard him as honest. After examining quantum operations in Chapter [2] we will 
return to the definition of an honest-but-curious player in the quantum setting. 
Finally, a player can also be dishonest: he will do anything in his power to break 
the protocol. Evidently, this is the most realistic setting, and we will always 
consider it here. 

An adversary is someone who is trying to break the protocol. An adversary 
is generally modeled as an entity outside of the protocol that can either be an 
eavesdropper, or take part in the protocol by taking control of specific players. 
This makes it easier to model protocols among multiple players, where we assume 
that all dishonest players collaborate to form a single adversary. 

1.2.2 Assumptions 

In an ideal world, we could implement any cryptographic protocol described be- 
low. Interestingly though, even in the quantum world we encounter physical 
limits which prevent us from doing so with unconditional security. Unconditional 
security most closely corresponds to the intuitive notion of "secure". A protocol 
that is unconditionally secure fulfills its purpose and is secure even if an attacker 
is granted unlimited resources. We happily provide him with the most powerful 
computer we could imagine and as much memory space as he wants. The main 
question of unconditional security is thus whether the attacker obtains enough 
information to defeat the security of the system. Unconditional security is also 
called perfect secrecy in the context of encryption systems, and forms part of 
information-theoretic security. 

Most often, however, unconditional security can never be achieved. We must 
therefore resign ourselves to introducing additional limitations on the adversary: 
the protocol will only be secure if certain assumptions hold. In practise, these as- 
sumptions can be divided into two big categories: In the first, we assume that the 
players have access to a common resource with special properties. This includes 
models such as a trusted initializer |Riv99] . or another source that provides the 
players with shared randomness drawn from a fixed distribution. An example of 
this is also a noisy channel |CK88j : Curiously, a noisy channel that neither player 
can influence too much turns out to be an incredibly powerful resource. The sec- 
ond category consists of clear limitations on the ability of the adversary. For ex- 
ample, the adversary may have limited storage space available |Mau92l [DFSSOSj . 
or experience noise when trying to store qubits as we will see in Chapter [TT] In 
multi-player protocols we can also demand that dishonest players cannot commu- 
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nicate during the course of the protocol, that messages between different players 
take a certain time to be transmitted, or that only a minority of the players is 
dishonest. In the quantum case, other known assumptions include limiting the 
adversary to measure not more than a certain number of qubits at a time |Sal98j . 
or introducing superselection rules |KMP04j , where the adversary can only make 
a limited set of quantum measurements. When introducing such assumptions, 
we still speak of information-theoretic security: Except for these limitations, the 
adversary remains all-powerful. In particular, he has unlimited computational 
resources. 

Classically, most forms of practical cryptography are shown to be computa- 
tionally secure. In this security model, we do not grant an adversary unlimited 
computational resources. Instead, we are concerned with the amount of com- 
putation required to break the security of a system. We say that a system is 
computationally secure, if the believed level of computation necessary to defeat it 
exceeds the computational resources of any hypothetical adversary by a comfort- 
able margin. The adversary is thereby allowed to use the best possible attacks 
against the system. Generally, the adversary is modeled as having only polyno- 
mial computational power. This means that any attacks are restricted to time 
and space polynomial in the size of the underlying security parameters of the 
system. In this setting the difficulty of defeating the system's security is often 
proven to be as difficult as solving a well-known problem which is believed to be 
hard. The most popular problems are often number-theoretic problems such as 
factoring. Note that for example in the case of factoring, it is not known whether 
these problems are truly difficult to solve classically. Many such problems, such 
as factoring, fold with the advent of a quantum computer |Sho97] . It is an inter- 
esting open problem to find classical hardness assumptions, which are still secure 
given a quantum computer. Several proposals are known Reg03| , but so far none 
of them have been proven secure. 

In the realm of quantum cryptography, we are so far only interested in in- 
formation-theoretic security: we may introduce limitations on the adversary, but 
we do not resort to computational hardness assumptions. 



1.2.3 Quantum properties 

Quantum mechanics introduces several exciting aspects to the realm of cryptog- 
raphy, which we can exploit to our benefit, but which also introduce additional 
complications even in existing classical primitives whose security does not de- 
pend on computational hardness assumptions. Here, we give a brief introduction 
to some of the most striking aspects, which we will explain in detail later on. 

1. Quantum states cannot be copied: In classical protocols, an adversary 
can always copy any messages and his classical data at will. Quantum 
states, however, differ: We will see in Chapter |2] that we cannot copy an 
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arbitrary qubit. This property led to the construction of the unforgeable 
subway tokens jBBBW82] mentioned earher. 

2. Information gain can be detected: Classically there is no way for an 

honest player to determine whether messages have been read maliciously 
outside the scope of the protocol. However, in a quantum setting we can 
detect whether an adversary tried to extract information from a transmit- 
ted message. This property forms the heart of quantum key distribution 
described below. It also allows us to construct cheat- sensitive protocols, a 
concept which is foreign to classical cryptography: even though we cannot 
prevent an adversary from gaining information if he intends to do so, we 
will be able to detect such cheating and take appropriate action. We will 
return to this aspect in Chapter |2j 

3. Uncertainty relations exist: Unlike in the classical world, quantum 
states allow us to encode multiple bits into a single state in such a way 
that we cannot extract all of them simultaneously. This property is closely 
related to cheat-sensitivity, and is a consequence of the existence of uncer- 
tainty relations we will encounter in Chapter |4j It is also closely related to 
what is known as quantum random access codes, which will we employ in 
Chapter |8j 

4. Information can be "locked": Another aspect we need to take into 
account when considering quantum protocols is an effect known as lock- 
ing classical information in quantum states. Surprisingly, the amount of 
correlation between two parties can increase by much more than the data 
transmitted. We will examine this effect for a specific measure of correlation 
in more detail in Chapter |5} 

5. Entanglement allows for stronger correlations: Entanglement is an- 
other concept absent from the classical realm. Whereas entanglement has 
many useful applications such as quantum teleportation and can also be 
used to analyze the security of quantum key distribution, it also requires 
us to be more cautious: In Chapter [9| we will see that the parameters of 
classical protocols can change dramatically if dishonest players share entan- 
glement, even if they do not have access to a full quantum computer. In 



Chapter 10, entanglement will enable an adversary to break any quantum 



string commitment protocol. 

6. Measurements can be delayed: Finally, we encounter an additional ob- 
stacle, which is also entirely missing from classical protocols: Players may 
delay quantum measurements. In any classical protocol, we can be assured 
that any input and output is fixed once the protocol ends. In the quan- 
tum case, however, players may alter their protocol input retroactively by 
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delaying quantum measurements that depend on their respective inputs. 
Essentially, in a classical protocol the players will automatically be "com- 
mitted" to the run of the protocol, whereas in the quantum setting this 
property is entirely missing. This can make an important difference in re- 
ductions among several protocols as we will see in Section |1.3.2| below. 



1.3 Primitives 



We now present an overview of the most common multi-party protocol primitives, 
and what is known about them in the quantum setting. We already encountered 
quantum key distribution (QKD) in the introduction. In this thesis, our focus 
lies on cryptographic protocols other than QKD. 



1.3.1 Bit commitment 

Possibly the most active area of quantum cryptography in the early stages next 
to QKD was quantum bit commitment: Imagine two mutually distrustful parties 
Alice and Bob at distant locations. They can only communicate over a channel, 
but want to play the following game: Alice secretly chooses a bit c. Bob wants to 
be sure that Alice indeed has made her choice. Yet, Alice wants to keep c hidden 
from Bob until she decides to reveal c. To convince Bob that she made up her 
mind, Alice sends Bob a commitment. From the commitment alone. Bob cannot 
deduce c. At a later time, Alice reveals c and enables Bob to open the commit- 
ment. Bob can now check if Alice is telling the truth. This scenario is known as 
hit commitment. Commitments play a central role in modern-day cryptography. 




Figure 1.3: Schematic run of a BC protocol when Alice and Bob are honest. 



They form an important building block in the construction of larger protocols 
in, for example, gambling and electronic voting, and other instances of secure 
two-party computation. In the realm of quantum mechanics, it has been shown 
that oblivious transfer |BBCS92b] (defined in Section 1.3.2) can be achieved pro- 
vided there exists a secure bit commitment scheme |Yao95^ ICre94j . In turn. 
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classical oblivious transfer can be used to perform any secure two-party compu- 
tation defined below |CvdGT95] . Commitments are also useful for constructing 
zero-knowledge proofs [GolOlj and lead to coin tossing |Blu83] . Informally, bit 
commitment can be defined as follows: 

1.3.1. Definition. Bit commitment (BC) is a two-party protocol between Al- 
ice (the committer) and Bob (the verifier), which consists of three stages, the 
committing and the revealing stage, and a final declaration stage in which Bob 
declares "accept" or "reject" . The following requirements should hold: 

• (Correctness) If both Alice and Bob are honest, then before the committing 
stage Alice picks a bit c. Alice's protocol depends on c and any randomness 
used. At the revealing stage, Alice reveals to Bob the committed bit c. Bob 
accepts. 

• (Binding) If Alice wants to reveal a bit c', then 

Pr[Bob accepts |c' = 0] -|- Pr[Bob accepts |c' = 1] < 1. 



• (Concealing) If Alice is honest. Bob does not learn anything about c before 
the revealing stage. 

Classically, unconditionally secure bit commitment is known to be impossi- 
ble. Indeed, this is very intuitive if we consider the implications of the concealing 
condition: This condition implies that exactly the same information exchange 
must have occurred if Alice committed herself to c = or c = 1, otherwise 
Bob would be able to gain information about c. But this means that even if 
Alice initially made a commitment to c = 0, she can later reconstruct the run 
of the protocol as if she had committed herself to c = 1 and thus send the 
right message to Bob to reveal c = 1 instead. Unfortunately, even quantum 
communication cannot help us to implement unconditionally secure bit commit- 
ment without further assumptions: After several quantum schemes were sug- 
gested |BB84t IBCQOat IBCJL93j . quantum bit commitment was shown to be im- 
possible, too |May96bl [LC971 |May971 ILCM IB(MS97[ [CL981 IDKSW06] , even in 



the presence of superselection rules |KMP04j . where the adversary can only per- 
form a certain restricted set of measurements. In the face of the negative results, 
what can we still hope to achieve? 

Evidently, we need to assume that the adversary is limited in certain ways. In 
the classical case, bit commitment is possible if the adversary is computationally 
hounded |Gol01] . if one-way functions exist |Nao91t lHR07j . if Alice and Bob are 
connected via a noisy channel that neither player can influence too much |CK88l 
IDKS991 IDFMS04] . or if the adversary is bounded in space instead of time, i.e., he 
is only allowed to use a certain amount of storage space |Mau92] . Unfortunately, 
the security of the bounded classical storage model |Mau92t ICCM98] is somewhat 
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unsatisfactory: First, a dishonest player needs only quadratically more memory 
than the honest one to break the security. Second, as classical memory is very 
cheap, most of these protocols require huge amounts of communication in order 
to achieve reasonable bounds on the adversaries memory. 

Do we gain anything by using quantum communication? Interestingly, even 
without any further assumptions, quantum cryptography at least allows us to 
implement imperfect forms of bit commitment, where Alice and Bob both have 
a limited ability to cheat. That is, we allow Alice to change her mind, and 
Bob to learn the committed bit with a small probability. These protocols are 
based on the fact that quantum protocols can exhibit a form of cheat sensitiv- 
ity unavailable to classical communication |HK04t lATS VYOO] . Exact tradeoffs 
on how well we can implement bit commitment in the quantum world can be 
found in |SR02aj . Protocols that make use of this tradeoff are cheat-sensitive. 



as described in Section |1.2.2[ Examples of such protocols have been used to im- 

we 



plement coin tossing |Amb01j as described in Section 1.3.2 In Chapter 10, 
will consider commitments to an entire string of bits at once. Whereas this task 
turns out to be impossible as well for a strong security definition, we will see that 
non-trivial quantum protocols do exist for a very weak security definition. Bit 
commitment can also be implemented under the assumption that faster than light 
communication is impossible, provided that Alice and Bob are located very far 
apart |Ken99] , or if Alice and Bob are given access to non- local boxes |BCU+06j 
which provide superstrong non-local correlations. 

But even a perfect commitment can be implemented, if we make quantum 
specific assumptions. For example, it is possible to securely implement BC pro- 
vided that an adversary cannot measure more than a fixed number of qubits 
simultaneously |Sal98] . With current-day technology, it is very difficult to store 
states even for a very short period of time. This leads to the protocol presented in 
|BBCS92al ICre94] . which shows how to implement BC and OT (defined below) if 
the adversary is not able to store any qubits at all. In |DFSS05l lDFR+07j . these 
ideas have been generalized in a very nice way to the hounded- quantum- storage 
model, where the adversary is computationally unbounded and is allowed to have 
an unlimited amount of classical memory. However, he is only allowed a limited 
amount of quantum memory. The advantages over the classical bounded-storage 
model are two- fold: First, given current day technology it is indeed very hard to 
store quantum states. Secondly, the honest players do not require any quantum 
storage at all, making the protocol much more efficient. It has been shown that 
such protocols remain secure when executed many times in a row |WW07j . 

1.3.2 Secure function evaluation 

An important aspect of modern day cryptography is the primitive known as secure 
function evaluation, and its multi-player analogue, secure multi-party computa- 
tion, first suggested by Yao |Yao82j . Imagine that Alice and Bob are trying to 
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decide whether to attend an unpopular administrative event. If Ahce attends, 
Bob feels forced to attend as well and vice versa. However, neither of them 
wants to announce publicly whether they are planning to attend or whether they 
would rather make up an excuse to remain at home, as this may have dire conse- 
quences. How can Alice and Bob solve their dilemma? Note that their problem 
can be phrased in the following form: Let x be Alice's private input bit, where 
X = 1 if Alice is planning to attend and x = if Alice skips the event. Similarly, 
let y be Bob's private input bit. Alice and Bob now want to compute OR(x, y) in 
such a way that both of them learn the result, but neither of them learns anything 
more about the input of the other player than can be inferred from the result. 
In our example, if OR(a:,j/) = 1, at least one of the players is planning to attend 
the event. Both Alice and Bob now attend the event, and both of them can 
safely claim that they really did plan to do so in the first place. If OR(a;, y) = 0, 
Alice and Bob learn that they both agree, and do not need to fear any political 
consequences. 

Secure function evaluation enables Alice and Bob to solve any such task. Pro- 
tocols for secure function evaluation enable us to construct protocols for electronic 
voting and secure auctions. Informally, we define: 

1.3.2. Definition. Secure function evaluation (SFE) is a two-party protocol 
between Alice and Bob, where Alice holds a private input x and Bob holds a 
private input y such that 

• (Correctness) If both Alice and Bob are honest, then they both output the 
same value v = f{x,y). 

• (Security) If Alice (Bob) is dishonest, then Alice (Bob) does not learn more 
about X (y) then can be inferred from f{x,y). 

A common variant of SFE is so-called one-sided SFE: Here, only one of the two 
players receives the result of the computation, f{x,y). Sadly, we cannot imple- 
ment SFE for an arbitrary function / classically without additional assumptions, 
akin to bit commitment. Even in the quantum world, the situation is equally 
bleak: SFE remains impossible in the quantum setting jLo97] ! Fortunately, the 
situations improves when we consider multi-party protocols as mentioned below. 

Oblivious transfer 

A special case of secure function evaluation is the problem of oblivious transfer, 
which was first introduced by Rabin |Rab81] . The variant of 1-2 OT appeared in a 
paper by Even, Goldreich and Lempel |EGL85j and also, under a different name, 
in the well-known paper by Wiesner |Wie83j . 1-2 OT allows Alice and Bob to solve 
a seemingly uninteresting problem: The sender (Alice) secretly chooses two bits 
So and si, the receiver (Bob) secretly chooses a bit c. The primitive of oblivious 
transfer allows Bob to retrieve Sc in such a way, that Alice cannot gain any 
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information about c. At the same time, Alice is ensured that Bob only retrieves 
Sc and gets no information about the other input bit Sg. Oblivious transfer can 
be used to perform any secure two-party computation |Kil88t ICvdGT95] , and is 
therefore a very important primitive. 




Figure 1.4: Schematic run of a 1-2 OT protocol. 

Unlike in the classical setting, oblivious transfer in the quantum world requires 
additional caution: We want that after the protocol ends, both of Alice's inputs 
bits So, Si and Bob's choice bit c have been determined. That is, they are fixed 
and the players can no longer change their mind. In particular, we do not want 
Bob to delay his choice of c indefinitely, possibly by delaying a quantum measure- 
ment. Similarly, Alice should not be able to change her mind about, for example, 
the parity of Sq © Si after the end of the protocol by delaying a measurement. 
Informally, we define 

1.3.3. Definition, {^^-ohlivious transfer (1-2 OT(so, si){c)) is a two-party pro- 
tocol between Alice (the sender) and Bob (the receiver), such that 

• (Correctness) If both Alice and Bob are honest, the protocol depends on 
Alice's two input bits sq, si G {0, 1} and Bob's input bit c G {0, 1}. At the 
end of the protocol Bob knows Sc- 

• (Security against Alice) If Bob is honest, Alice does not learn c. 

• (Security against Bob) If Alice is honest. Bob does not learn anything about 

After the protocol ends, sq, si and c have been chosen. 

Classically, 1-2 OT can be obtained from the following simpler primitive, also 
known as Rabin-OT |Rab81] or erasure channel. Conversely, OT can be obtained 
from 1-2 OT. 

1.3.4. Definition. Rabin Oblivious transfer (Rabin-OT) is a two-party proto- 
col between Alice (the sender) and Bob (the receiver), such that 
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• (Correctness) If both Alice and Bob are honest, the protocol depends on 
Alice's input bit h G {0, 1}. At the end of the protocol, Bob obtains h with 
probability 1/2 and knows whether he obtained h or not. 

• (Security against Alice) If Bob is honest, Alice does not learn whether Bob 
obtained h. 

• (Security against Bob) If Alice is honest, Bob's probability of learning bit 
h does not exceed 1/2. 

After the protocol ends, h has been chosen. 

The fact that Alice and Bob may delay their measurements makes an impor- 
tant difference, as the following simple example shows: Consider the standard 
reduction of Rabin-OT to 1-2 OT: Alice uses inputs Sk = b and = with 
k {0, 1}. Bob uses input c Gr {0,1}, for a randomly chosen c. The players 
now perform 1-2 OT(so,Si)(c) after which the receiver holds Sc- Subsequently, 
Alice announces k. If k = c. Bob succeeded in retrieving b and otherwise he 
learns nothing. This happens with probability p = 1/2 and thus we have con- 
structed Rabin-OT from one instance of 1-2 OT. Clearly, this reduction fails if 
we use an 1-2 OT protocol in which Bob can defer his choice of c, possibly by 
delaying a quantum measurement that depends on c. He simply waits until Alice 
announces k, to retrieve Sk with certainty. This simple example makes it clear 
that implementing 1-2 OT is far from a trivial task in the quantum setting. Even 
the classical definitions need to be revised carefully. In this brief overview, we 
restricted ourselves to the informal definition given above, and refer to |Wul07] 
for an extensive treatment of the definition of oblivious transfer. 

Note that oblivious transfer forms an instance of secure function evaluation 
with / : {0, 1}^ X {0, 1} — {0, 1} satisfying /(sq, Si, c) = Sc, where only one player 
(Bob) learns the output. Hence by Lo's impossibility result for SFE discussed 
earlier, oblivious transfer is not possible in the quantum setting either without 
introducing additional assumptions. Indeed, note that there exists a classical 
reduction of bit commitment to oblivious transfer (up to a vanishing probability), 
where we reverse the roles of Alice and Bob for bit commitment: Alice simply 
chooses two n-hit strings xq G/j {0, 1}", and Xi {0, l}". Alice and Bob now 
use n rounds of 1-2 OT, where Bob retrieves Xc when he wants to commit to 
a bit c. To reveal, he then sends c and Xc to Alice. Intuitively, one can thus 
hope to use the impossibility proof of bit commitment to show that oblivious 
transfer is impossible as well, without resorting to |Lo97j . However, note that we 
would first have to show the security of this reduction with respect to a quantum 
adversary. Fortunately, oblivious transfer becomes possible if we make the same 



assumptions as for bit commitment described in Section 1.3.1 We will consider 



how to implement oblivious transfer if the adversary's quantum storage is subject 



to noise in Chapter 11 
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Coin tossing 

Another example of SFE is the well-known primitive of coin tossing |Blu83j . 
which can be viewed as an instance of randomized secure function evaluation 
defined in |Gol01j . Imagine that Alice and Bob want to toss a coin, solely by 
communicating over a classical and a quantum channel. We thereby want to 
ensure that neither party can influence the outcome of the coin toss by too much. 
Unfortunately, we cannot implement this primitive classically without relying on 
additional assumptions. 

What assumptions do we need to implement coin tossing? It is easy to see that 
we can implement one form of coin tossing, if we could perform bit commitment: 
Alice chooses a random bit h Er {0, 1} and commits herself to h. Subsequently, 
Bob chooses a random bit h' Er {0, 1} and sends it to Alice. After receiving 
b', Alice opens her commitment and reveals b. Both parties now output c = 
6 © 6' as their outcome. Thus, any assumptions that enable us to implement 
bit commitment also lead to coin tossing. Some assumptions even allow for very 
simple protocols: If we assume that Alice and Bob are located far apart and 
faster-than-light communication is impossible, they can simply both flip a coin 
themselves and send it over the channel. They then take the xor of the two bits 
as the outcome of the coin flip. If Alice and Bob do not receive the other's bit 
within a certain time frame they reject this execution of the protocol and restart. 
Since it takes the bit a specific time to travel over the channel, both parties can 
be sure that it must have been sent before a certain time, i.e., before receiving 
the other's bit. 

Many definitions of coin tossing are known in the literature, which exhibit sub- 
tle differences especially whether aborts are allowed during the protocol. In the 
quantum literature, strong coin tossinfj^ has been informally defined as follows: 

1.3.5. Definition. A quantum strong coin tossing protocol with bias e is a two- 
party protocol, where Alice and Bob communicate and finally decide on a value 
c G {0, 1, ±} such that 

• If both parties are honest, then Pr[c = 0] = Pr[c = 1] = 1/2. 

• If one party is honest, then for any strategy of the dishonest player Pr[c = 
0] <l/2 + e and Pr[c = 1] < 1/2 + e. 

Sadly, strong coin tossing cannot be implemented perfectly with bias e = 
|LC98j . However, one might hope that one could still achieve an arbitrarily 
small bias e > 0. Many protocols have been proposed for quantum strong coin 
tossing and subsequently been broken |MSC99l IZLGOO] . Sadly, it was shown that 
strong coin tossing cannot be implemented with an arbitrarily small bias, and 
e = I/V2 — 1/2 ^ 0.207 is the best we could hope to achieve |Kit02j . So far. 



^Unfortunately, these names carry a slightly different meaning in the classical literature. 
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quantum protocols for strong coin tossing with a bias of e ~ 0.42 |ATSVYOO] and 
finally e = 1/4 |Ambni[ ISR,n2a[ IKNn4[ \Com\ are known. No formal definition of 
strong coin tossing in the quantum setting is known to date, that specifies how 
to deal with an abort in the case when the protocol is executed multiple times. 

To circumvent this problem, a slightly weaker primitive has been proposed, 
which carries the name weak coin tossing in the quantum literature. Here, we 
explicitly allow the dishonest party to bias the coin entirely in one direction, but 
limit his ability to bias the coin the other way. This scenario corresponds to a 
setting where, for example, Alice wins if the outcome is c = and Bob if c = 1. 
However, we do allow each player to give in and loose at will. Intuitively, this 
setting makes more sense in all common practical examples when considering a 
standalone run of such a protocol, where each player has a preferred outcome. 
Informally, we define 

1.3.6. Definition. A quantum weak coin tossing protocol with bias e is a two- 
party protocol, where Alice and Bob communicate and finally decide on a value 
c G {0, 1, ±} such that 

• If both parties are honest, then Pr[c = 0] = Pr[c = 1] = 1/2. 

• If Alice is honest, then for any strategy of Bob 

Pr[c= 1] < 1/2 + £. 

• If Bob is honest, then for any strategy of Alice 

Pr[c = 0] < 1/2 + £. 

Weakening the definition in this way indeed helps us! It has been shown 
that we can construct a quantum protocol for weak coin tossing that achieves 
a bias oi e ^ 0.239 |KN04] . e ^ 0.207 |SR02b] . e ^ 0.192 |Moc04j . and e ^ 
0.167 |Moc05j . Very recently, however, a protocol with an arbitrarily small bias 
has been suggested |Moc07b J! To date, there is also no formal definition of weak 
coin tossing in the quantum setting. 

Multiple players 

Secure multi-party computation (SMP) concerns an analogous task to SFE, in- 
volving n players Pi, . . . ,P„, where Pj has a private input Xj. Their goal is to 
compute f{xi, . . . , such that none of them can learn more about the input of 
any other player than they can infer from f{xi, . . . ,a;„). Fortunately, the situa- 
tion changes dramatically when extending the protocol to multiple players. SMP 
can be implemented with unconditional security even classically, provided that 
t < n/3 of the players are dishonest |Gol01] . If the adversary is not dishonest. 
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but merely honest-but-curious, it is possible to increase t up to t < n/2 |Gol01j . 
We refer to |Cra99] for an overview of classical secure multi-party computation. 

Quantumly, one can generalize secure multi-party computation to the follow- 
ing setting. Each player Pj holds an input state pi G H (see Chapter |2]for details). 
Let p e Hi ® . . . ® Hn denote the joint state of players Pi, ... , Pn- Then quan- 
tum secure multi-party computation (QSMP) allows the players to compute any 
quantum transformation U to obtain U pU\ where player Pj receives the quantum 
state on Tij as his output. QSMP can be implemented securely if t < n/2 of the 
players are dishonest |(X;Sn2[ [CGS05]. 

Coin tossing has also been studied in the multi-party setting. Classically, 
multi-party coin tossing forms part of secure multi-party computation |Gol01j . 
and can thus be implemented under the same assumptions. Quantumly, multi- 
party coin tossing has been studied in |ABRD04] . 



1.3.3 Secret sharing 

Another interesting problem concerns the sharing of a classical or quantum secret. 
Imagine Alice holding an important piece of information, for example the launch 
code to her personal missile silo. Alice would like to enable members of her 
community to gain access, but wants to prevent a single individual from launching 
a missile on his own. Secret sharing enables Alice to distribute some secret data 
d among a set of n players, such that at least t > 1 players need to combine their 
individual shares to reconstruct the original secret d. A trivial secret sharing 
scheme for a bit d G {0, 1} involving just two players is as follows: Alice picks 
r Gij {0, 1} and hands Si = d® r io the first player, and S2 = r to the second 
player. Clearly, if r is chosen uniformly at random from {0, 1}, none of the 
individual players can gain any information about d. Yet, when combining their 
individual shares they can compute si® S2 = d. 

General secret-sharing schemes were introduced by Shamir |Sha79] and Blakey 
|Bla79] . They have found a wide range of applications, most notably to construct 



protocols for secure multi-party computation as described in Section |1.3.2[ Many 
classical secret sharing schemes are known today |MvOV97] . Quantum secret 
sharing was first introduced in |HBB99j and shortly after in |CGL99j . which 
also formed a link between quantum secret sharing schemes and error correcting 
codes. Quantumly, we can distinguish two types of secret sharing schemes: The 
first allows to share a quantum secret, i.e., Alice holds a quantum state p and 
wants to construct n quantum shares cxi, . . . , cr„ such that when t such shares are 
combined p can be reconstructed |HBB99t ICGL99t I Got 00] . The second allows us 
to share classical secrets using quantum states that have very nice data-hiding 
properties |DLT02[ IDHT031 IEW021 IHLS05j : it is not sufficient for n parties to 
perform local measurements and communicate classically in order to reconstruct 
the secret. To reconstruct the secret data they must communicate quantumly to 
perform a coherent measurement on their states. It is an exciting open question 
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whether such schemes can be used to implement quantum protocols for secure 
multi-party computations with classical inputs that remain secure as long as the 
dishonest players can only communicate classically, but not quantumly. 



1.3.4 Anonymous transmissions 

In all applications we considered so far, we were concerned with two aspects: ei- 
ther, we wanted to protect protocol participants from being cheated by the other 
players, or, we wanted to protect the secrecy of data from a third party as in 



the setting of key distribution described in Section |1.1[ In the problem of key 
distribution, sender and receiver know each other, but are trying to protect their 
data exchange from prying eyes. Anonymity, however, is the secrecy of identity. 
Primitives to hide the sender and receiver of a transmission have received consid- 
erable attention in classical computing. Such primitives allow any member of a 
group to send and receive data anonymously, even if all transmissions can be mon- 
itored. They play an important role in protocols for electronic auctions [SA99] . 
voting protocols and sending anonymous email |Cha81j . An anonymous channel 
which is completely immune to any active attacks, would be a powerful prim- 
itive. It has been shown how two parties can use such a channel to perform 
key-exchange |AS83] . 

A considerable number of classical schemes have been suggested for anony- 
mous transmissions. An unconditionally secure classical protocol was introduced 
by Chaum |Cha88j in the context of the Dining Cryptographers Problem. Such 
a protocol can also be considered an instance of secure multi-party computation 
considered above. 

Boykin |Boy02] considered a quantum protocol to send classical information 
anonymously where the players distribute and test pairwise shared EPR pairs, 
which they then use to obtain key bits. His protocol is secure in the presence 
of noise or attacks on the quantum channel. In |CW05aj . we presented a proto- 
col for anonymous transmissions of classical data that achieves a novel property 
that cannot be achieved classically: it is completely traceless. This property is 
related, but stronger than the notion of incoercibility in secure multi-party pro- 
tocols |CG96j . Informally, a protocol is traceless, if a player cannot be forced to 
reveal his true input at the end of the protocol. Even when forced to hand out his 
input, output and randomness used during the course of the protocol, a player is 
able to generate fake input that is consistent with all other data gathered from 
the run of the protocol. The protocols suggested in |Boy02| are not traceless, but 
can be modified to exhibit this property. It would be interesting to see whether it 
is possible to make general protocols for secure multi-party computation similarly 
traceless. 

The first protocol for the anonymous transmission of qubits was constructed 
in |CW05aj . Whereas the anonymous transmissions of classical bits can be im- 
plemented via secure multi-party computation, the scenario is different when we 
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wish to transmit qubits: as we will see in Chapter [2} qubits cannot be copied. 
Thus we cannot expect each player to obtain a copy of the output. New protocols 
for creating anonymous entanglement and anonymously transmitting qubits have 
since been suggested in |BS05[ iBBF+j . 



1.3.5 Other protocols 

Besides the protocols above, a variety of other primitives making use of particular 
quantum effects have been proposed. One of the oldest suggested applications 
is the one of quantum money that is resistant to copying [Wie83J , also proposed 
as unforgeable subway tokens |BBBW82] . Quantum seals [BP031 ICha03l I5S05] 
employ the notion of cheat sensitivity in order to provide data with a seal that 
is "broken" once the data is extracted. That is, we can detect whether the data 
has been read. Perfect quantum seals that allow us to detect tampering with 
certainty have been shown to be impossible |BPDMd5] . Nevertheless, non-trivial 
constructions are can be implemented. 

Furthermore, quantum signature schemes |GC01j have been proposed which 
exhibit unconditional security: here Bob can verify Alice's signature using a public 
key given to him ahead of time. Sadly, such a scheme slowly consumes the 
necessary public key. Finally, protocols have been suggested for the encryption 
of quantum data which allow n qubits to be encoded using a 2n bit key achieving 
perfect secrecy |BR03[ lAMTdWOOj . Much smaller keys are possible, if we allow 
for small imperfections |DN06t IAS04j . Such encryption schemes have also been 
used to allow for private circuit evaluation |Chi05] : Here, Alice encrypts her 
quantum state before handing it to Bob who is capable of running a certain 
quantum operation that Alice would like to apply. This allows Alice to let her 
quantum operations be performed by Bob without revealing her quantum input. 



1.4 Challenges 



As we saw in Section fl.2.3[ introducing quantum elements into cryptography leads 
to interesting new effects. Much progress has been made to exploit these quantum 
effects, although many open questions remain. In particular, not much is known 
about how well quantum protocols compose. That is, when we use one protocol as 
a building block inside a larger application, does the protocol still remain secure as 



expected? Recall from Section |1.2.3| that especially our ability to delay quantum 
measurements has a great influence on composition. Fortunately, quantum key 
distribution has been shown composable lBOHL+051 IRenOSt IRKOSj . However, 



composability remains a particularly tricky question in protocols where we are 
not faced with an external eavesdropper, but where the players themselves are 
dishonest. Composability of quantum protocols was first considered in |vdG98j . 
followed by |CGS02j who addressed the composability of QSMP, and the general 
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composability frameworks of |Unr04l[BUM04] applied to QKD |BOHL+05j . Great 
care must also be taken when composing quantum protocols in the bounded 
quantum storage model |WW07j . Even though these composability frameworks 
exist, very few protocols have been proven secure when composed. 

Secondly, we need to consider what happens if an adversary is allowed to 
store even small amounts of quantum information. There are many examples 
known where quantum memory can prove much more useful to an adversary than 
classical memory |GKK+06] , and we will encounter such examples in Chapters |3] 
and m 

Furthermore, it is often assumed that the downfall of computational assump- 
tions such as factoring is the only consequence that quantum computing has on 
the security of classical protocols. Sadly, this is by no means the only problem. 
Classical protocols where the security depends on the fact that different players 
cannot communicate during the course of the protocol may be broken when the 
players can share quantum entanglement and perform even a very limited set of 
quantum operations, well within the reach of current day technology. We will 
encounter such an example in Chapter |9j 

Furthermore, we may conceive new primitives, unknown to the classical set- 
ting. One such primitive is the distribution of shared quantum states in the 
presence of dishonest players. Here, our goal is to create a protocol among n 
players such that at the end of the protocol m <n players share a specified state 
p, where the dishonest players may apply any measurement to their share. It is 
conceivable to extend the QSMP protocol of |CGS02j to address this problem, 
yet, much more efficient protocols may be possible. Such a primitive would also 
enable us to build up the resources needed by other protocols such as |CW05aj . 

Finally, it is an interesting question by itself, what cryptographic primitives 
are possible in a quantum mechanical world. Conversely, it has even been shown 
that the axioms governing quantum mechanics can in part be obtained from 
the premise that perfect bit commitment is impossible |CBH03j . Perhaps such 
connections may lead to novel insights. 

1.5 Conclusion 

Quantum cryptography beyond quantum key distribution is an exciting subject. 
In this thesis, we will investigate several aspects that play an important role in 
nearly all cryptographic apphcations in the quantum setting. 

In part I, we will examine how to extract information from quantum states. 
We first consider the problem of state discrimination. Here, our goal is to deter- 
mine the identity of a state p within a finite set of possible states {pi, . . . ,Pn}- 
In Chapter |3| we will examine a special case of this problem that is of particular 
relevance to quantum cryptography in the bounded quantum storage model: How 
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well can we perform state discrimination if we are given additional information 
after an initial quantum measurement, i.e., after a quantum memory bound is 
applied? In Chapter |4| we address uncertainty relations, which play an impor- 
tant role in nearly all cryptographic applications. We will prove tight bounds 
for uncertainty relations for certain mutually unbiased measurements. We will 
also present optimal uncertainty relations for anti-commuting measurements. Fi- 
nally, in Chapter [5} we then examine a peculiar quantum effect known as locking 
classical information in quantum states. Such effects are important in the secu- 
rity of QKD, and also play a role in quantum string commitments which we will 
encounter in part III. In particular, we address the following question: Can we 
always obtain good locking effects for mutually unbiased measurements? 

In part II, we turn to investigate quantum entanglement. In Chapter [7| 
we show how to find optimal quantum strategies for two parties who cannot 
communicate, but share quantum entanglement. Understanding such strategies 
plays an important part in understanding the effect of entanglement in otherwise 
classical protocols. In Chapter |8} we then present some initial weak result on 
the amount of entanglement such strategies require. Finally, in Chapter [9} we 
show how the security of classical protocols can be affected considerably in the 
presence of entanglement. 



In part III, we investigate two cryptographic problems directly. In Chap- 
ter 10 , we first consider commitments: Quantumly, one may hope that committing 
to an entire string of bits at once, and allowing Alice and Bob a limited ability 
to cheat, may still be within the realm of possibilities. This does not contradict 
that bit commitment itself is impossible. Unfortunately, we will see that for any 
reasonable security measure, string commitments are also impossible. However, 
non-trivial protocols do become possible for very weak notions of security. 

In Chapter [11} we then introduce the model of noisy-quantum storage that in 
spirit is very similar to the setting of bounded-quantum storage: Here we assume 
that the adversary's quantum operations and storage are subject to noise. We 
show that oblivious transfer can be implemented securely in this model. We give 
an explicit tradeoff between the amount of noise and the security of our protocol. 



Part II 

Information in quantum states 
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Introduction 



To investigate the limitations and possibilities of cryptographic protocols in a 
physical world, we must familiarize ourselves with its physical theory: quantum 
mechanics. What are quantum states and what sets them apart from the classical 
scenario? Here, we briefly recount the most elementary facts that will be necessary 
for the remainder of this text. We refer to |Per93] for a more gentle introduction 
to quantum mechanics, to Appendix |A] for linear algebra prerequisites, and to the 
symbol index on page 249 for unfamiliar notation. In later chapters, we examine 
some of the most striking aspects of quantum mechanics, such as uncertainty 
relations and entanglement in more detail. 



2.1 Quantum mechanics 
2.1.1 Quantum states 

A d- dimensional quantum state is a positive semidefinite operator p of norm 1 (i.e., 
p has no negative eigenvalues and Tr(p) = 1) living in a ci-dimensional Hilbert 
space 7i. We commonly refer to p as a density operator or density matrix. 
A special case of a quantum state is a pure state, which has the property that 
rank(p) = 1. That is, there exists some vector G 7i such that we can write 
p = where is a projector onto the vector |\E'). If {|0), . . . , |c/ — 1)} 

is a basis for 7i, we can thus write |\E') = X]j=o '^ib) some coefficients aj G C. 
Note that our normalization constraint implies that Tr(p) = 'Y^- = 1. We 
also say that is in a superposition of vectors |0), . . . , |(i — 1). Clearly, for a 
pure state we have that p^ = p and thus Tr(p^) = 1. 

Let's first look at an example of pure states. Suppose we consider & d = 
2 dimensional quantum system Ti, also called a quhit. We call {|0),|1)} the 

complete vector space with an inner product. Here, we always consider a vector space 
over the complex numbers. 
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computational basis, where 

|0) = ( J ) and |1) = ( 5 ) . 

Any pure qubit state can then be written as |^) — a\0) + for some a, /3 e C 
with + = 1. We take an encoding of '0' or '1 ' in the computational basis 
to be |0) or |1) respectively, and use the subscript '+' to refer to an encoding in 
the computational basis. An alternative choice of basis would be the Hadamard 
basis, given by vectors {|+), |— )}, where 

l+) = ^(|0) + |l))and|-) = i=(|0)-|l)). 

We use ' X ' to refer to an encoding in the Hadamard basis. We will often consider 
systems consisting of n qubits. If 7i is a 2-dimensional Hilbert space correspond- 
ing to a single qubit, the system of n qubits is given by the n-fold tensor product 
7i®" with dimension d = A basis for this larger Hilbert space can easily be 
found by forming the tensor products of the basis vectors of a single qubit. For 
example, the computational basis for an n-qubit system is given by the basis vec- 
tors (g) . . . (g) \xn) I Xj G {0, 1}, j G [n]} where [n] = {1, . . . ,n}. We wiU often 
omit the tensor product and use the shorthand \xi . . . Xn) = \xi) ® . . . ® 

If p is not pure, then p is a mixed state and can be written as a mixture of pure 
states. That is, for any state p there exist A-, > with \j ~ 1 and vectors 
such that 

3 

Since p is Hermitian, we can take \j and to be the eigenvalues and eigenvec- 
tors of p respectively. We thus have for any quantum state that Tr(p^) < 1, where 
equality holds if and only if p is a pure state. We can also consider a mixture of 
quantum states, pure or mixed. Suppose we have a physical system whose state 
Px depends on some value x G A" of a classical random variable X drawn from X 
according to a probability distribution Px- For anyone who does not know the 
value of X (but does know the distribution Px), the state of the system is given 
as 

P = '^Px{x)Px- 

X 

We also call the set E — {{Px{x), Px) \ x G X} an ensemble, that gives rise to 
the density matrix p. We generally use the common shorthand £ — {Px{x), p^}. 
Clearly, for any state p we can take its eigendecomposition as above to find one 
possible ensemble that gives rise to p. With this interpretation in mind, it is now 
intuitive why we wanted p > and Tr(p) = 1: the first condition ensures that p 
has no negative eigenvalues and hence all probabilities Xj are non-negative. The 
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second condition ensures that the resulting distribution in indeed normahzed. We 
will use S{TC) and B(7i) to denote the set of all density matrices and the set of 
all bounded operators on a system H respectively. 

Let's look at a small example illustrating the concept of mixed quantum states. 
The density matrices corresponding to |0) and |1) are po+ = |0)(0| and pi+ = 
|1)(1|, and the density matrices corresponding to |+) and |— ) are given by pox = 
|+)(+| and pix = |— )(— I- Let's suppose we are now told that we are given a '0' 
but encoded in either the computational or Hadamard basis, each with probability 
1/2. Our quantum state corresponding to this encoding of '0' is now 

PO = -(po+ +POx). 

The state corresponding to an encoding of '1' is similarly given by 

1/ 

Pi = + pix). 

It is important to note that the same density matrix can be generated by two 
different ensembles. As a simple example, consider the matrix p = (2/3)|0)(0| + 
(1/3)|1)(1|. Clearly, p > and Tr(p) = 1 and thus p forms a valid one qubit quan- 
tum state. However,^! = {(2/3, |0)), (1/3, |1))} and ^2 = {(1/2, |0o)), (1/2, |0i))} 
with |0o) = ^27310) + yV3|l) and |0i) = v^lO) - v^|l) both give rise to 
P: 

P=^|O)(O| + ^|l)(l| = ^|0o)(0o| + ^|0l)(0l|. 

Classical vs. Quantum 

Quantum states exhibit an important property known as "no-cloning" : very much 
unlike classical states, we cannot create a copy of an arbitrary quantum state! 
This is only possible with a small probability. We refer to |SIGA05] for an excel- 
lent overview of known results. 

In the following, we call an ensemble classical if all states px commute. This 
is an interesting special case, we discuss in more detail below. 

2.1.2 Multipartite systems 

We frequently need to talk about a quantum state shared by multiple players 
in a protocol. Let Hi, . . . ,Hn denote the Hilbert spaces corresponding to the 
quantum systems of players 1 up to n. As outlined in the case of multiple qubits 
above, the joint system Tii® . . . ®l-in of all players is formed by taking the tensor 
product. For example, suppose that we have only two players, Alice and Bob. Let 
H."^ and Ti^ be the Hilbert spaces corresponding to Alice's and Bob's quantum 
systems respectively. Any bipartite state p^^ shared by Alice and Bob is a state 
living in the joint system Ti.^ ® TC^. Bipartite states can exhibit an interesting 
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property called entanglement, which we investigate in Chapter |6j In short, if 
|\E') G H"^ eg) Ti.^ is a pure state, we say that |\E') is separable if and only if there 
exist states |\E'^) G and G such that |^) = |\E'^) (g) Ivp^). A separable 
pure state is also called a product state. A state that is not separable is called 
entangled. An example of an entangled pure state is the so-called EPR-pair 

^(|oo) + |ii)). 

For mixed states the definition is slightly more subtle. Let p G S{T-C^ ® TC^) be a 
mixed state. Then p is called a product state if there exist p^ G and p^ G 
such that p = p^ ® p^. The state p is called separable, if there exists an ensemble 
g = {j9j., 1^^.)} such that l^j) = 1^/) ® l^f ) with |^/) G and ) G for 
all j, such that 

Intuitively, if p is separable then p corresponds to a mixture of separable pure 
states according to a classical joint probability distribution {pj}. We return to 
such differences in Chapter [6j From a cryptographic perspective, it is for now 
merely important to note that if the state p"^^ shared between Alice and Bob is a 
pure state, then p"^^ is not entangled with any third system Ti.'^ held by Charlie. 
That is, p^^ does not depend on any classical random variable X held by Charlie 
whose value is unknown to Alice and Bob. An important consequence is that the 
outcomes of any measurement (see below) that Alice and Bob may perform on 
p^^ are therefore independent of X, and hence secret with respect to Charlie. 

Given a quantum state in a combined, larger, system, what can we say 
about the state of the individual systems? For example, given a state p"^^ 
shared between Alice and Bob, the reduced state of Alice's system alone is given 
by p^ = T^t^b{p^^), where Tr^ is the partial trace over Bob's system. The 
partial trace operation Tr^ : M(H^ ® H^) M(H^) is thereby defined as 
the unique linear operator that for all A G M(TC^) and all B G M(T-C^) maps 
Tyb{A <S) B) = ATt{B). We also say that we trace out Bob's system from p"^^ to 
obtain p^. Furthermore, given any state p^ G Ti.^, we can always find a second 
system and a pure state |^) e H"^ ® such that = TrB(|^)(*|). We 
call |\E') a purification of p^. 

Classical vs. Quantum 

In the quantum world, we encounter a particular effect known as entanglement. 
Intuitively, entanglement leads to very strong correlations among Alice and Bob's 
system, which we will examine in detail in Chapter |6} 
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2.1.3 Quantum operations 
Unitary evolution 

The evolution of any closed quantum system is described by a unitary evolution 
U that maps 

p UpUl 

It is important to note that unitary operations are reversible: We can always apply 
an additional unitary V = W to retrieve the original state since V{UpW)V^ — 
WUpU^U — p. In particular, we often make use of the following single qubit 
unitaries known as the Pauli matrices 

''^^(i o)' ^^=(i o')' ''^^(o -i)- 

Note that ay = iaxaz- Furthermore, we also use the Hadamard, and the K- 
transform given by 

Note that X = (I + ia^:) /V^. 
Measurements 

Besides unitary operations, we can also perform measurements on the quantum 
state. A quantum measurement of a state p G S(H) is a set of operators {M^} 
acting on S{7i), satisfying Ylim^m^rn = I- We will call operators measure- 
ment operators. The probability of obtaining outcome m when measuring the 
state p is given by 

Pi[m] ^Tr (MlM^p). 

Conditioned on the event that we obtained outcome m, the post-measurement 
state of the system is now 

Tr{MLMmp) ■ 

Most measurements disturb the quantum state and hence pm generally differs 
from p. We will discuss this effect in more detail below. Note that we have 
J2m P^n^] — Tr {{J2m ^L^m) p) — and hence the distribution over outcomes 
{m} is appropriately normalized. 

A special case of a quantum measurement is a projective measurement, where 
all measurement operators Mm are orthogonal projectors which we write as Pm — 
Mm — Ml^Mm- Projective measurements are also described via an observable 
A — Ylim ''^■^rn, whcrc m G R. Note that ^ is a Hermitian matrix with eigenvalues 
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{m}. For any given basis B = {\xi), . . . ,\xd)} we speak of measuring in the 
basis B to indicate that we perform a projective measurement given by operators 
Pk = \xk){xk\ with k e [d]. 

If we are only interested in the measurement outcome, but do not care about 
the post-measurement state, it is often simpler to make use of the POVM (positive 
operator valued measure) formalism. A POVM is a set of Hermitian operators 
{Efn} such that Ylm-^m ~ ^ have Em > 0. Evidently, from a 

general measurement we can obtain a POVM by letting Em = MlMm- We now 
have 

Pr[m] = TT{EmP). 

The advantage of this approach is that we can easily solve optimization prob- 
lems involving probabilities Pr[m] over the operators Em, instead of considering 
the individual operators Mm- Since Em > such problems can be solved using 
semidefinite programming, which we describe in Appendix |Xj Finally, it is im- 
portant to note that quantum measurements do not always commute: it matters 
crucially in which order we execute them. Indeed, as we will see later it is this 
property that leads to all the interesting quantum effects we will consider. 

Let's consider a small example. Suppose we are given a pure quantum state 
1^) = ^/2/3\0) + ^/l/3\l). When measuring |\E') in the computational basis, we 
perform a measurement determined by operators Pq = |0)(0| and Pi = 
Evidently, we have 



Pr[0] = Tr(Po|^)(^|) = (^|Po|^) 

and 



2 
3^ 



Pr[l] = Tr(Pi|^)(^|) = (^|Pi|*) 



1 

3' 

If we obtained outcome '0', the post-measurement state is given by 



Pnl^)(^|Pn 

Similarly, if we obtained outcome '1', the post-measurement state is 

_ Pi|v&)(vI/|Pi _ 
Pr[l] 



Quantum channel 

The most general way to describe an operation is by means of a CP (completely 
positive) map A : T-f^ Ti.^, where Ti.^ and Ti.^ denote the in and output systems 
respectively. We also call A a channel. Any channel A can be written as A(p) = 
J2m ^mpV^ where Vmis a. linear operator from to TC^ , and J2m ^mYm < I- 
is also referred to as a Kraus operator. A is trace preserving if Vm^m = I- Any 
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quantum operation can be expressed by means of a CPTP (completely positive 
trace preserving) map . We sometimes also refer to such a map as a superoperator , 
a quantum channel, or a (measurement) instrument, if we think of a POVM with 
elements {Kn}. A channel is called unital, if in addition VmV^ = I: we then 
have A (I) = I. 

We give two simple examples. Consider the unitary evolution U of a state p: 
here we have A(p) = U pU'^ . When we perform our single qubit measurement in 
the computational basis described above, and ignore the measurement outcome, 
we implement the channel A(p) = PopPo + PipPi. Since Pq and Pi form a 
measurement and are projectors we also have that PqPq + PiPI = I and hence 
the channel is unital. 

Any quantum channel can be described by a unitary transformation on the 
original and an ancilla system, where the ancilla system is traced out to recover 
the original operation. More precisely, given a channel A : Ti.^ Ti.^ we can 
choose a Hilbert space TC'-^ identical to Ti^, a pure state p G S{n^ ® n^) and 
a unitary matrix ?7a acting on ® TC^ ® 7i*" such that for any p G S{TC^) 
A(p) = Tya,cUa{p <S) p)U\. This is all that we need here, and we refer to |Hay06| 
for detailed information. 

Of particular interest, especially with regard to constructing cheat-sensitive 
protocols, is the following statement which specifies which operations leave a 
given set of states invariant. Clearly, any cheating party may always perform 
such operations without being detected. It has been shown that 

2.1.1. Lemma. (HKL) IHKLOSf Let A : H ^ H be a unital quantum channel 
with A(p) = VmpV^, and let S be a set of quantum states. Then 

Vp G S, A(p) = p if and only if^mMp G S, \Vm, p] = 0. 

Indeed, the converse direction is easy to see. If we have that for all m and 
for all p G 5 [Vm,p] = 0, then A(p) = Y^m^mpVl = Y^m^rnVlp = p, since 
A is unital. If a quantum channel is not of this form, i.e. it does not leave 
the state invariant, we also say that it disturbs the state. The statement above 
has interesting consequences: consider an ensemble of states S = {px,Px} with 
Px G TC, and suppose that there exists a decomposition H = 0^. Hj such that 
for all X we have px = ^j^jPx^j where Uj is a projector onto Hj. If we 
perform the measurement given by operators {Hj} then (ignoring the outcome) 
the states px are invariant under such a measurement, since clearly [nj,p2;] = 
for all j and x. The outcome of the measurement tells us which Tij we reside 



in. However, Lemma 2.1.1 tells us a lot more: We will see in Chapter 3.5.1 
that if the measurement operators from a projective measurement commute with 
all the states p^, they are in fact of this very form (see also Appendix [B]) . In 
the following, we call the information about which Tij we reside in the classical 
information of the ensemble S. Any attempt to gain more information, i.e. by 
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performing measurements which do not satisfy these commutation properties, 
necessarily leads to disturbance and can be detected. 

An adversary can thus always extract this classical information without affect- 
ing the quantum state. Looking back at Chapter [1} we can now see that for unital 
adversary channels we can define an honest-but-curious player to be honest-but- 
curious with regard to the classical information, and honest with regard to the 
quantum information: he may extract, copy and memorize the classical infor- 
mation as desired. However, if he wants to leave the protocol execution itself 
unaltered, he cannot perform any other measurements and must thus be honest 
on the remaining quantum part of the ensemble. 



Classical vs. Quantum 

Clearly, Lemma 2.1.1 also tells us that if all the states in our ensemble com- 
mute, i.e. the ensemble is classical as defined above, then we can always perform 
a measurement in their common eigenbasis "for free". Furthermore, if our en- 
semble is classical we have dim(7ij) = 1, i.e. Tij itself is also classical: it is 
just a scalar. We thus see that such an ensemble has no quantum properties: 
we can extract and copy information at will. Informally, we may think of the 
different states within the ensemble as different classical probability distributions 
over their common eigenstates. We will return to this idea shortly. 

Furthermore, we can look at measurements or observables themselves. Note 
again from the above that since a quantum measurement may disturb a state, it 
matters in which order measurements are executed. That is, quantum operations 
do not commute. It is this fact that leads to all the interesting effects we observe: 
uncertainty relations, locking and Bell inequality violations using quantum entan- 
glement are all consequences of the existence of non-commuting measurements in 
the quantum world. This lies in stark contrast to the classical world, where all 
our measurement do commute, and we therefore do not encounter such effects. 



2.2 Distinguishability 

How can we distinguish several quantum states? Suppose we are given states 
Px where X is a random variable drawn according to a probability distribution 
Px over some finite set X. Our goal is now to determine the value of X given 
an unknown state p G {px \ x G X}. Cryptographically, this gives an intuitive 
measure on how well we can guess the value of X. The problem of finding the 
optimal distinguishing measurement is called state discrimination, where optimal 
refers to finding the measurement that maximizes the probability of successfully 
guessing X. For two states, the optimal guessing probability is particularly simple 
to evaluate. To this end, we first need to introduce the trace distance, and the 
trace norm: 
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2.2.1. Definition. The trace distance of two states po and pi is given by 

1, 



Dipo,pi 



:IIPo -Pil 



where ||A||i = Tr(V A^A) is the trace norm of A. 

Ahernatively, the trace distance may also be expressed as |Hay06| 

Dipo,Pi) = niaxTr(M(po - Pi)), 

where the maximization is taken over all M > 0. Indeed, D is really a "distance" 
measure, as it is clearly a metric on the space of density matrices: We have 
D{po,pi) = if and only if po = Pi, and evidently D{pQ,pi) = D(pi,po). Finally, 
the triangle inequality holds: 



Dipo,pi 



maxTr(M(po -pi)) = max(Tr(M(po - a)) + Tr(M(a - pi))) 



M 



M 



< D{po,a) + D{a,p,). 



When considering single qubits (such as for example in Chapter 11) it is often 
intuitive to note that for a single qubit, the trace distance has a particularly 
simple form. Note that I, cr^., ay and form a basis for the space of 2 x 2 
complex matrices. Since we have Tr(p) = 1 for any quantum state, we can thus 
write any single qubit state as 

p = = — 



where a = (ax, Cy, cTz) and r = (rx,ry, r^) is the Block vector as given in Figure 2.1 
For r = (I + t • (j)/2 with t = (tx,ty, tz) we then have 



1 



|p-^lli 



j&{x,y,z} 



j£{x,y,z} 



where we used the fact that all Pauli matrices anti-commute. Thus, the trace dis- 
tance between p and r is exactly half the Euclidean distance of the corresponding 
Bloch vectors. 

Using the trace distance, we can address the problem of distinguishing two 
quantum states: 

2.2.2. Theorem (Helstrom [Hel67]). Suppose we are given states po with 
probability q, and pi with probability 1 — q. Then the probability to determine 
whether the state was po and pi is at most 

P=\[^ + IkPo - (1 - ?)Pi||i] • 

The measurement that achieves p is given by Mo, and Mi = I — Mq, where Mq is 
the projector onto the positive eigenspace of qpo — (1 — q)pi- 
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Figure 2.1: Bloch vector {rx,ry,rz) = (cos sin^, sin-f/' sin0, cos ^) 



For q = 1/2, this gives us p = 1/2 + D(po,Pi)/2. Indeed, it is easy to see 
why such Mq and Mi form the optimal measurement. Note that here we are only 
interested in finding a POVM. To find the optimal POVM we must solve the 
following optimization problem for variables Mq and Mi. 



maximize gTr(Mopo) + (1 ^ 5')Tr(Afipi) 
subject to Mo, Ml > 0, 
Mo + Ml = I. 



We can rewrite our target function as 



gTr(Mopo) + (1 - g)Tr(Mipi) = gTr(Mopo) + (1 - g)Tr((I - Mo)pi) 

= Tr(Mo(gpo - (1 - q)pi)) + l-q 



Tr Mo $^A,K)(«, 
+Tr Mo \y\,\u,){uj\ I I + l-g. 





where gpo — (1 — q)pi = J2j Hence, to maximize the above expression, 

we need to choose Mq = XIa >o 

Unfortunately, computing the optimal measurement to distinguish more than 
two states is generally not so easy. Yuen, Kennedy and Lax |YKL75j first showed 
that this problem can be solved using semidefinite programming, a technique we 
describe in Appendix |A} This technique has since been refined to address other 
variants such as unambiguous state discrimination where we can output "don't 
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know", but are never allowed to make a mistake |Eld03] . Evidently, we can 
express the optimization problem for any state discrimination problem as 

maximize Y.xPx{x)Tt{M^p^) 
subject to Vx e X,M^> 0, 

= I. 

In Chapter |3} we will use the above formulation. We also show how to address 
a variant of this problem, where we receive additional classical information after 
performing the measurement. 

Closely related to the trace distance is the notion of fidelity. 

2.2.3. Definition. The fidelity of states p and a is given by 

F{p, a) = Trv/pi/Vpi/2. 

Note that if p = is a pure state, this becomes 



The fidelity is closely related to the trace distance. In particular, we have that 
for any states p and a 



1 - F{p, a) < Dip, a) < Vl - Fip, 

A proof can be found in |NC00l Section 9.2.3]. If p = |\E') (\I'| is a pure state, the 
lower bound can be improved to 

Many other distance measures of quantum states are known, which may be a 
more convenient choice for particular problems. We refer to |Fuc95| |Hay06| for 
an overview. 

Classical vs. Quantum 

Suppose again we are given a classical ensemble of states p and a. That is, both 
operators commute and hence have a common eigenbasis . . . , \ud)}- We can 

thus write p = Xj\uj){uj\ and a = 7j|Mj)(Mj|, which allows us to write the 
trace distance of p and a as 

^, . \\EMj-lj)\uj){uj\\\i 1^ 

j 

where D{Xj,'~fj) is the classical variational distance between the distributions 
{Xj} and {7j}. Again, we see that there is nothing quantum in this setting. We 
can view p and a as two different probability distributions over the set 
Similarly, it is easy to see that 



F{p,a) = Tr /^Aj7j|uj)(mj| = ^ ^/A^ = F(Aj, 7^-), 

y j j 

where F{Xj,-yj) is the classical fidelity of the distributions {Xj} and {7j}. 
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2.3 Information measures 
2.3.1 Classical 

We also need the following ways of measuring information. Let X be a random 
variable distributed over a finite set X according to probability distribution Px- 
The Shannon entropy of X is then given by 

H{X) = -Y,Pxix)logPx{x). 

Intuitively, the Shannon entropy measures how much information we gain on 
average by learning X. A complementary view point is that H{X) quantifies the 
amount of uncertainty we have about X before the fact. We will also use H{Px), 
if our discussion emphasizes a certain distribution Px- If \X\ = 2, we also use 
the term binary entropy and use the shorthand 

h{p) = —plogp — (1 — p) log(l — p). 

Let F be a second random variable distributed over a finite set y according to 
distribution Py. The joint entropy of X and Y can now be expressed as 

H{X,Y) = - PxY{x,y)\ogPxY{x,y), 

where Pxy is the joint distribution over X x y. Furthermore, we can quantify 
the uncertainty about X given Y by means of the conditional entropy 

H{X\Y) = H{X, Y) - H{Y). 

To quantify the amount of information X and Y may have in common we use 
the mutual information 

J(X, Y) = H{X) + H{Y) - H{X, Y) = H{X) - H{X\Y). 

Intuitively the mutual information captures the amount of information we gain 
about X by learning Y . The Shannon entropy has many interesting properties, 
summarized, for example, in |NC00t Theorem 11.3], but we do not require them 
here. In Chapter |5| we only need the classical mutual information of a bipartite 
quantum state p"^^, which is the maximum classical mutual information that can 
be obtained by local measurements ® on the state p"^^ |THLD02] : 

■lJp^^)= max I(A,B), (2.1) 



where A and B are the random variables corresponding to Alice's and Bob's 
measurement outcomes respectively. 



2.3. Information measures 



37 



In a cryptographic setting, the Shannon entropy is not always a desirable 
measure as it merely captures our uncertainty about X on average. Often, the 
Renyi entropy allows us to make stronger statements The Renyi entropy |Ren60] 
of order a is defined as 

1 — a 

Indeed, the Shannon entropy forms a special case of the Renyi entropy by taking 
the limit a — > 1, i.e., Hi{-) = H{-), where we omit the subscript. Of particular 
importance is the min- entropy , for a — oo: 

H^{X) = - log ( maxPxix) 

and the collision entropy 

H2{X) = -\ogY,Px{xf. 

We have 

loglA'l > H{X) > H^iX) > H^{X). 

Intuitively, the min-entropy is determined by the highest peak in the distribution 
and most closely captures the notion of "guessing" x. Consider the following 
example: Let X = {0, 1}" and let a;o = 0, . . . , be the all string. Suppose that 
Px{xo) = 1/2 + l/(2"+i) and Pxix) = l/(2"+i) for x ^ xq, i.e., with probability 
1/2 we choose Xq and with probability 1/2 we choose one string uniformly at 
random. Then H{X) ^ n/2, whereas Hoo{X) = 1! If x would correspond to an 
encryption key used to encrypt an n bit message, we would certainly not talk 
about security if we can guess the key with probability 1/2! Yet, the Shannon 
entropy is quite high. We refer to |Cac97j for an in-depth discussion of security 
measures in classical cryptography. 

2.3.2 Quantum 

Similar to the Shannon entropy, the von Neumann entropy of a quantum states 
p is given by 

S{p) = -Tr(plogp). 
Taking the eigendecomposition of p = J2x ^x\x){x\ we can also write 




X 
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which corresponds to the Shannon entropy arising from measuring p in the basis 
given by {|x)(a;|}. We refer to (NCOOl Section 11.3] for the properties of the von 
Neumann entropy. 

Here, we will only be concerned with the accessible information |Per93i Eq. 
(9.75)] of an ensemble £ = {px, px} which we encounter again in Chapter |5} 

Iacc{£) = max ( - X^Px logPx+ "^"^PxajTriMjp^) log ^""^^(^^^^^^ 

\ X 3 X \ 3rl 

where p = '^^PxPx and the maximization is taken over all POVMs M = {Mj}. 
It has been shown that we can take all POVM elements to be of rank 1 [Dav78j. 
However, maximizing this quantity still remains a hard task |Per93j . Some upper 
and lower bounds are known |Fuc95j . but sadly none of them are generally very 
strong. The most well-known upper bound is given by the Holevo quantity, which 
is given by 

X{p) = S{p)- ^p^5(p^). 

X 

Holevo's theorem |NCOO] states that 

lacciS) < X{p)- (2.2) 

Classical vs. Quantum 



Equality in Eq. (2.2) is achieved if all states p^ have a common eigenbasis (i.e., 
all px commute). Hence, for classical ensembles we do not have a gap between 
these two quantities. The fact that quantumly we can obtain such a gap leads 
to a peculiar effect known as locking classical information in quantum states 
in Chapter [5j However, even if the states px do not commute, we can still 
extract the "classical information" of the ensemble: Suppose for all p^ & 'H 
from our ensemble there exists a decomposition Ti = 0^ Hj such that for all 
Px = JZj^jPx^j: where Uj is a projector onto Hj. That is, there exists 
a way to simultaneously block-diagonalize all states. Note that for any mea- 
surement maximizing the accessible information above, we can find an equiva- 
lent measurement with measurement operators M = Hj-MH^, since evidently, 

Tr(Mp^) = Tr(HjMHjp^) = Tr (Mp^). Intuitively, this means that we can 
always first determine which block we are in "for free", followed by our original 
measurement constrained to this block. Note that [Hj^p^.] = for all Hj and px- 



Hence, looking back at Section 2.1.3 this is not so surprising: the measurement 
leaves our states invariant. In general, such commutation relations lead to inter- 
esting structural consequences which we examine in more detail in Appendix |B] 



and also exploit in Chapter |3] Finally, it will be useful in Chapter 10 that the 



accessible information is additive |Hol73l IDLT02] : For m independent draws of 
an ensemble £ of separable states (see Chapter |6]), i.e., we choose m states from 
m identical ensembles independently, we have Iacc{£'^"^) = ''^1acc{£)- 
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2.4 Mutually unbiased bases 

In the following chapters, we will be particularly concerned with measurements in 
mutually unbiased bases (MUBs). MUBs were initially introduced in the context 
of state estimation |WF89j . but feature in many other problems in quantum 
information. The following definition closely follows the one given in jBBRV02] . 

2.4.1. Definition. [MUBs] Let Bi = . . . , and B2 = {\bl) , . . . , \bj)} 
be two orthonormal bases in C''. They are said to be mutually unbiased if 
= for every k,l E [d]. A set {Bi, . . . , Bm} of orthonormal bases 

in is called a set of mutually unbiased bases if each pair of bases is mutually 
unbiased. 

As an example, consider the computational and the Hadamard basis defined 
above, and note that we can write |+) = H\0) and |— ) = H\l). We then have 
for X G {0, 1}" that 

Hence, the computational and the Hadamard basis are mutually unbiased in 
dimension c? = 2". 

We use N{d) to denote the maximal number of MUBs in dimension d. In 
any dimension d, we have that N((i) < d + 1 |BBRV02] . li d = is & prime 
power, we have that N{d) = d+1 and explicit constructions are known |BBRV02| 
IWF89] . If = sMs a square, N(rf) > MOLS(s) where MOLS(s) denotes the 
number of mutually orthogonal s x s Latin squares |WB05j . In general, we have 
N(nm) > min{N(n), N(m)} for all n, m G N |Zau99t IKR03j . It is also known 
that in any dimension, there exists an explicit construction for 3 MUBs |Gra04j . 
Unfortunately, not much else is known. For example, it is still an open problem 
whether there exists a set of 7 MUBs in dimension d = 6. We say that a unitary 
Ut transforms the computational basis into the t-th MUB Bt = {\b\) , . . . , \b^^)} 
if for all k G [d] we have = Ut\k). In the next two chapters, we will be 
particularly concerned with two specific constructions of mutually unbiased bases. 
There exists a third construction based on Galois rings |KR04j , which we do not 
consider here. 

2.4.1 Latin squares 

First, we consider MUBs based on mutually orthogonal Latin squares |WB05j . 
Informally, an s x s Latin square over the symbol set [s] is an arrangement of 
elements of [s] into an s x s square such that in each row and each column every 
element occurs exactly once. Let Lij denote the entry in a Latin square in row i 
and column j. Two Latin squares L and L' are called mutually orthogonal if and 
only if {{Lij, L'^ j)\i, j G [s]} = {{u,v)\u,v G [s]}. Intuitively, this means that if 
we place one square on top of the other, and look at all pairs generated by the 
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overlaying elements, all possible pairs occur. An example is given in Figures 2.2 
and 2.3 below. From any s x s Latin square we can obtain a basis for (8> C*. 



First, we construct s of the basis vectors from the entries of the Latin square 
itself. Let 



1^1/) 



E 

«j6[s] 



E. 



where is a predicate such that E^j{i) = 1 if and only if Ljj = i. Note 
that for each i we have exactly s pairs i,j such that Eij{i) = 1, because each 
element of [s] occurs exactly s times in the Latin square. Secondly, from each 
such vector we obtain s — 1 additional vectors by adding successive rows of an 
s X s complex Hadamard matrix H = [hij) as coefficients to obtain the remaining 



\vtj) for t G [s] 



where h^j 



00^^ with i,j e {0, . . . , s — 1} and uj = e^'^*/'*. Two 



additional MUBs can then be obtained in the same way from the two non-Latin 
squares where each element occurs for an entire row or column respectively. From 
each mutually orthogonal Latin square and these two extra squares which also 
satisfy the above orthogonality condition, we obtain one basis. This construction 
therefore gives MOLS(s) + 2 many MUBs. It is known that if s = p'^ is a prime 
power itself, we obtain + 1 ^ ^/d MUBs from this construction. Note, however, 
that there do exist many more MUBs in prime power dimensions, namely d + 1. 
If s is not a prime power, it is merely known that MOLS(s) > s^/^^-^ |WB05] . 



Figure 2.2: Latin Square (LS) Figure 2.3: Mutually Orthogonal LS 



As an example, consider the 3x3 Latin square depicted in Figure [272] and the 
3x3 complex Hadamard matrix 
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where uj = e^'^*/^. First, we obtain vectors 

1^1,1) 
1^1,2) 
1^1,3) 

With the help of H we obtain 3 additional vectors from the ones above. From 
the vector for example, we obtain 

1^1,1) 

\V2,1) 

This gives us basis B = {\vt^£)\t,i G [s]} for s = 3. The construction of another 
basis follows in exactly the same way from a mutually orthogonal Latin square. 
The fact that two such squares L and L' are mutually orthogonal ensures that the 
resulting bases will be mutually unbiased. Indeed, suppose we are given another 
such basis, B' = {\ut/)\t,i G [s]} belonging to L'. We then have for any G [s] 
that \{ui,e'\v^,e)? = Ei^eW ^£(^')^£WI' = ^/^'' ^^^^"^ "^^^^^^ exactly 

only one pair £, G [s] such that E^j{i')E['.j{i) = 1. Clearly, the same argument 
holds for the additional vectors derived from the complex Hadamard matrix. 

2.4.2 Generalized Pauli matrices 

The second construction we consider is based on the generalized Pauli matrices 
Xd and Zd |BBRV02] . defined by their actions on the computational basis C = 
{|0),...,|d-l)} as follows: 

Xa\k) = \k + l modd) 
Zd\k) = u''\k), \^\k) G C, 

where u = e^-^^. We say that {Xaf {Zaf' ® ■ ■ ■ ® (X^)"^ (Z^)^^ for ak,bk G 
{0, . . . ,d — 1} and k G [N] is a string of Pauli matrices. 

If d is a prime, it is known that the d + 1 MUBs constructed first by Woot- 
ters and Fields |WF89] can also be obtained as the eigenvectors of the matrices 
Zd, Xd, XdZd, XdZj, . . . , XdZ^-^ |BBRVn2j . If (i = pMs a prime power, consider 
all d^ — 1 possible strings of Pauli matrices excluding the identity and group them 
into sets Ci, . . . , Cd+i such that |Cj| = d — 1 and Ci fl Cj = {1} for i j and 



1 

1 
1 



(|1,2) 
(|1,3) 



|2,3) + |3,2)) 
|2,1) + |3,3)) 
|2,2) + |3,1)). 



1 

1 
1 

73 



(|1,1) + |2,3) + |3,2)) 
(|1,1) +cu|2,3) +u;2|3^2)) 
(|1,1) +u;2|2^3) +^|3^2)). 
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all elements of Ci commute. Let Bi be the common eigenbasis of all elements of 
Q. Then 5i, . . . , Bd+i are MUBs |BBRVn2] . A similar result for ci = 2^ has also 
been shown in |LBZ02j . A special case of this construction are the three mutually 
unbiased bases in dimension d = 2^ given by the unitaries J^'^^H^'^ and K^'' (as 
defined on page 29 ) applied to the computational basis. 



2.5 Conclusion 

We summarized the most important elements of quantum theory that we need 
here. We refer to |Per93[ INCOO[ Hay06| for more information about each topic. 



In Chapters |4] and [6] we investigate the two most striking aspects of quantum 
theory in detail: uncertainty relations and entanglement. But first, let's examine 
the case of state discrimination with additional post-measurement information. 



Chapter 3 



State discrimination 
with post-measurement information 



In this chapter, we investigate an extension of the traditional state discrimination 
problem we encountered in Chapter 2^ what if we are given some additional in- 
formation after the measurement? Imagine that you are given a string x encoded 
in an unknown basis chosen from a known set of bases. You may perform any 
measurement, but you can only store at most q qubits of quantum information 
afterwards. Later on, you are told which basis was used. How well can you com- 
pute a function / of x, given the initial measurement outcome, the q qubits and 
the additional basis information? 



3.1 Introduction 

This question is of central importance for protocols in the bounded quantum 
storage model |DFSS 05]. which we encountered in Chapter [l] The security of such 
protocols rests on the realistic assumption that a dishonest player cannot store 
more than q qubits for long periods of time. In this model, even bit commitment 
and oblivious transfer can be implemented securely which is otherwise known to 
be impossible as we saw in Chapter [l} We formalize this general setting as a 
state discrimination problem: Here, we are given additional information about 
the state after the measurement or, more generally, after a quantum memory 
bound is applied. We prove general bounds on the success probability for any 
balanced function. We also show that storing just a single qubit allows you to 
compute any Boolean function perfectly when two bases are used. However, we 
also construct three bases for which you need to keep all qubits. 

In general, we consider the following problem: Take an ensemble of quantum 
states, S = {pyb,Pyb}, with double indices yb E y x B, and an integer g > 0. 
Suppose Alice sends Bob the state pyb, where she alone knows indices y and b. 
Bob can perform any measurement on his system, but afterwards store at most 
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Figure 3.1: Using post-measurement information. 



q qubits, and an unlimited amount of classical information. Afterwards, Alice 
tells him h. Bob's goal is now to approximate y as accurately as possible, which 
means that he has to make a guess Y that maximizes the success probability 
-Psucc = YliyhPyb^'^\^ ~ l/|state pyi\. For \B\ = 1, i.e., no post-measurement in- 
formation is available, q is irrelevant and Bob's task is to discriminate among 
states Py. This is the well-known state discrimination problem, which we en- 
countered in Chapter 2^, a problem studied since the early days of quantum 
information science. A particular case that isolates the aspect of the timing 
between measurements and side-information is one where for each fixed b, the 
states Pyb are mutually orthogonal: if Bob knew b, he could actually compute 



y perfectly. A special case of this problem is depicted in Figure 3.1 Here, Al- 



ice picks a string x {0, 1}", and a basis b e x}. She then encodes the 
string in the chosen basis and sends the resulting state to Bob. Bob's goal is 
now to determine y = f{x) for a fixed function /. The states in this particular 
problem are thus of the form pyb = J2x<^f-^{y) Px\B=b{x)Ub\x) {x\Ul , for a function 
f : X ^ y, and a set of mutually unbiased bases (MUBs) B, given by the uni- 
taries Uq = I, Ui, . . . , U\b\-i on a Hilbert space with basis {|a;) : a; e X}, where 
the string x and a basis b are drawn from the distribution Px,b- We mostly focus 
on this special case. 
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This problem also has an interpretation in terms of communication complexity. 
Suppose Alice is given 6, and Bob is given the state pyb. If classical communication 
is free, what is the minimum number of qubits Bob needs to send to Alice such 
that Alice learns yl Note that Bob needs to send exactly q qubits if and only 
if there exists a strategy for Bob to compute y in our task, while storing only q 
qubits. 



3.1.1 Outline 

In the following, we will close in on our problem in several stages. First, we briefly 
recall the case of state discrimination without any post-measurement information 



in Section 3.3 This enables us to draw comparisons later. 



Second, in Section |3.4| we assume that Bob does receive post-measurement 
information, but has no quantum memory at all, i.e. g = 0. His goal then is to 
compute f{x) given the classical outcome obtained by measuring Ui,\x) and the 
later announcement of h. Clearly, a trivial strategy for Bob is to simply guess 
the basis, measure to obtain some string x and take y = f{x) as his answer. We 
thus want to find a better strategy. In particular, we will see that for any number 
of MUBs, any number of function outcomes, and any balanced /, Bob has a 
systematic advantage over guessing the basis, independent of Furthermore, 
we show that for any Boolean /, Bob can succeed with probability at least Psucc > 
1/2 + l/(2\/2) even if he cannot store any qubits at all. The latter result is 
relevant to the question of whether deterministic privacy amplification is possible 
in the protocols of |DFSS05j . Here, Alice uses two MUBs, and secretly chooses a 
function from a set of predetermined functions. She later tells Bob which function 
he should evaluate, together with the basis information b. Is it possible to use a 
fixed Boolean function instead? Our result shows that this is not possible. 

It is interesting to consider when post-measurement information is useful for 
Bob, and how large his advantage is compared to the case where he does not 
receive any post-measurement information. To this end, we show how to phrase 
our problem as a semidefinite program (SDP), in the case where Bob has no 



quantum memory. In Section |3.4.2[ we examine in detail the specific functions 
XOR and AND, for which we prove optimal bounds on Bob's success probability. 
In particular, the XOR on uniformly distributed strings of length n with two or 
three MUBs provides an extreme example of the usefulness of post-measurement 
information: We show that for the XOR function with n odd, Psucc = 1/2-1- 
l/(2v/2). This is the same as Bob can achieve without the extra basis information. 
For even n, Psucc = 1 with the additional basis information. Here, Psucc jumps 
from 3/4 (without) to certainty (with basis information). The advantage that 
Bob gains can thus be maximal: without the post-measurement information, he 
can do no better than guessing the basis. However, with it, he can compute 
y = f{x) perfectly. For even n, this was also observed in |DFSS05] . However, 
our analysis for odd n shows that the strategy for even n does not work for 
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any linear function as claimed in |DFSS05] . It remains an interesting question 
to find general conditions on the ensemble of states that determine how useful 



post- measurement information can be. We return to this question in Chapter 6.4 



Finally, we address the case where Bob does have quantum memory available. 
The question we are then interested in is: How large does this memory have to 
be so that Bob can compute y perfectly? In Section 3.5.1 we derive general 
conditions that determine when q qubits are sufficient. Our conditions impose 
a restriction on the rank of Bob's measurement operators and require that all 
such operators commute with the projector onto the support of pyb, for all y 
and h. In particular, we give a general algebraic framework that allows us to 
determine q for any number of bases, functions and outcomes, in combination 
with an algorithm given in |KI02j . In Sections 3.5.2 and 3.5.3, we then consider 
two specific examples: First, we show that for any Boolean / and any two bases, 
storing just a single qubit is sufficient for Bob to compute /(x) perfectly. The 
latter result again has implications to protocols in the bounded quantum storage 
model: for all existing protocols, deterministic privacy amplification is indeed 
hopeless. It turns out that part of this specific example also follows from known 
results derived for non-local games as we will discuss below. Surprisingly, things 
change dramatically when we are allowed to use three bases: We show how to 
construct three bases, such that for any balanced / Bob needs to keep all qubits 
in order to compute /(x) perfectly! 



3.1.2 Related work 



In Chapter 2^, we already examined the traditional setting of state discrimina- 
tion without post-measurement information. Some of the tools we need below 
have found use in this setting as well. Many convex optimization problems can 
be solved using semidefinite programming. We refer to Appendix |X] for a in- 
troduction. Eldar |Eld03j and Eldar, Megretski and Verghese |EMV03j used 
semidefinite programming to solve state discrimination problems, which is one 
of the techniques we also use here. The square-root measurement |HW94j (also 
called pretty good measurement) is an easily constructed measurement to dis- 
tinguish quantum states, however, it is only optimal for very specific sets of 
states |EF01t lEM V04j . Mochon constructed specific pure state discrimination 
problems for which the square-root measurement is optimal |Moc07aj . We use 
a variant of the square-root measurement as well. Furthermore, our problem is 
related to the task of state filtering |BHH03t IBHH05t IBH05j and state classifica- 
tion |WY06j . Here, Bob's goal is to determine whether a given state is either one 
specific state or one of several other possible states, or, more generally, which sub- 
set of states a given state belongs to. Our scenario differs, because we deal with 
mixed states and Bob is allowed to use post-measurement information. Much 
more is known about pure state discrimination problems and the case of unam- 
biguous state discrimination where we are not allowed to make an error. Since 
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we concentrate on mixed states, we refer to |BHH04j for an excellent survey on 
the extended field of state discrimination. 

Regarding state discrimination with post-measurement information, special 
instances of the general problem have occurred in the literature under the heading 
"mean king's problem" |AEOH IKROSj . where the stress was on the usefulness of 
entanglement. Furthermore, it should be noted that prepare-and- measure quan- 
tum key distribution schemes of the BB84 type also lead to special cases of this 
problem: When considering optimal individual attacks, the eavesdropper is faced 
with the task of extracting maximal information about the raw key bits, encoded 
in an unknown basis, that she learns later during basis reconciliation. 

Our result that one qubit of storage suffices for any Boolean function / demon- 
strates that storing quantum information can give an adversary a great advantage 
over storing merely classical information. It has also been shown in the context of 
randomness extraction with respect to a quantum adversary that storing quantum 
information can sometimes convey much more power to the adversary |GKK+06j . 

3.2 Preliminaries 

3.2.1 Notation and tools 

We need the following notions. The Bell basis is given by the vectors |$^) = 
(|00) ± \ll))/V2 and = (|01) ± |10))/V2. Furthermore, let f-^{y) = {x G 
X\f{x) = y}. We say that a function / is balanced if and only if any element in 
the image of / is generated by equally many elements in the pre-image of /, i.e. 
there exists a. k eN such that Wy E y : \ f^^{y)\ = k. 

3.2.2 Definitions 

We now give a more formal description of our problem. Let y and B be finite 
sets and let Pyb = {Pyb} be a probability distribution over y x B. Consider an 
ensemble of quantum states £ = {Pyb,Pyb}- We assume that 3^, B, E and Pyb 
are known to both Alice and Bob. Suppose now that Alice chooses yb E y x B 
according to probability distribution Pyb, and sends Pyh to Bob. We can then 
define the tasks: 

3.2.1. Definition. State discRimination {STAR{£)) is the following task for 
Bob. Given pyb, determine y. He can perform any measurement on pyi, immedi- 
ately upon receipt. 

3.2.2. Definition. State discRimination with Post-measurement Information 
{PI q-STAR{£)) is the following task for Bob. Given pyb, determine y, where 
Bob can use the following sources of information in succession: 
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1. First, he can perform any measurement on pyi, immediately upon reception. 
Afterwards, he can store at most q qubits of quantum information about 
Pybi and an unhmited amount of classical information. 

2. After Bob's measurement, Alice announces h. 

3. Then, he may perform any measurement on the remaining q qubits depend- 
ing on h and the measurement outcome obtained in step 1. 

We also say that Boh succeeds at STAR(£^) or Vlq-STARi^E) with probability p 
if and only if p is the average success probability p = J^ybPyb^A^ — l/|state pyb], 
where Pr[y = ?/| state pyb] is the probability that Bob correctly determines y given 
Pyb in the case of STAR, and in addition using information sources [T| [2] and |3] in 
the case of PI-STAR. 

Here, we are interested in the following special case: Consider a function 
f : X ^ y between finite sets, and a set of mutually unbiased bases B as 
defined in Chapter [2| generated by a set of unitaries Uq, Ui, . . . , f/|B|_i acting on 
a Hilbert space with basis | x G X}. Take |$^) = Ub\x). Let Px and 
Pb be probability distributions over X and B respectively. We assume that /, 
X, y, B, Px, Pb, and the set of unitaries {Ub\b G B} are known to both Alice 
and Bob. Suppose now that Alice chooses x E X and b E B independently 
according to probability distributions Px and Pb respectively, and sends |$^) to 
Bob. Bob's goal is now to compute y = f\x). We thus obtain an instance of 
our problem with states Pyb = '^xef-^{y) Px{x)\^^){^^\. We write STAR(/) and 
PIg-STAR(/) to denote both problems in this special case. We concentrate on 
the case of mutually unbiased bases, as this case is most relevant to our initial 
goal of analyzing protocols for quantum cryptography in the bounded storage 
model [DFHB05J. 

Here, we make use of the basis set B = {+, x,©}, where B+ = {|0), |1)} is 
the computational basis, B^ = {;^(|0) + |1)),^(|0) — |1))} is the Hadamard 

basis, and Bq = {:^(|0) + ^jdO) ~ "^11))} is what we call the K-basis. 
The unitaries that give rise to these bases are = I, Ux = H and Uq = K 
with K = {1 + ia^l\p2 respectively. Recall from Chapter [2] that the Hadamard 
matrix is given by = -^{px + o"^), and that Or^, and ay are the well-known 
Pauli matrices. We generally assume that Bob has no a priori knowledge about 
the outcome of the function and about the value of b. This means that b is 
chosen uniformly at random from B, and, in the case of balanced functions, that 
Alice chooses x uniformly at random from X. More generally, the distribution is 
uniform on all f^^{y) and such that each value y E y is equally likely. 

3.2.3 A trivial bound: guessing the basis 

Note that a simple strategy for Bob is to guess the basis, and then measure. This 
approach leads to a lower bound on the success probability for both STAR and 
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PI-STAR. In short: 

3.2.3. Lemma. Let Px{x) = ^ for all x E {0,1}". Let B denote the set of 
bases. Then for any balanced function f : X —' y Bob succeeds at STAR(/) and 
PIo-STAR(/) with probability at least 

Pguess = p + - ^) 

Our goal is to beat this bound. We show that for PI-STAR, Bob can indeed do 
much better. 



3.3 No post-measurement information 

We first consider the standard case of state discrimination. Here, Alice does not 
supply Bob with any additional post-measurement information. Instead, Bob's 
goal is to compute y = f{x) immediately. This analysis enables us to gain 
interesting insights into the usefulness of post-measurement information later. 

3.3.1 Two simple examples 

We now examine two simple one-qubit examples of a state discrimination problem, 
which we make use of later on. Here, Bob's goal is to learn the value of a bit 
which has been encoded in two or three mutually unbiased bases while he does 
not know which basis has been used. 

3.3.1. Lemma. Let x e {0, 1}, Px{x) = | and f{x) = x. Let B = {+, x} with 
f/+ = I and Ux = H . Then Bob succeeds at STAR(/) with probability at most 

1 1 

P = - + 



2 2v^' 

There exists a strategy for Bob that achieves p. 



Proof. The probability of success follows from Theorem 2.2.2 with po = 
i(|0)(0| + if|0)(0|if). Pi = + H\l){l\H) and q = 1/2. □ 

3.3.2. Lemma. Let x G {0, 1}, Px{.x) = \ and f{x) = x. Let B = {+, x , ©} with 
= I, Ux = H and Uq = K . Then Bob succeeds at STAR(/) with probability 
at most 

1 1 

There exists a strategy for Bob that achieves p. 



Proof. The proof is identical to that of Lemma 3.3.1 using po = |(|0)(0| -|- 
i/|0)(0|i/ + K|0)(0|i^t)^ = H\1){1\H + K\1Y{1\K^), and q = 1/2. □ 
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3.3.2 An upper bound for all Boolean functions 



We now show that for any Boolean function / and any number of mutually 
unbiased bases, the probability that Bob succeeds at STAR(/) is very limited. 

3.3.3. Theorem. Let \y \ = 2 and let f be a balanced function. Let B be a set of 

mutually unbiased bases. Then Bob succeeds at STAR(/) with probability at most 

1 1 

P = - + 



2 2.AB\ 



In particular, for \B\ = 2 we obtain (1 + l/v2)/2 ^ 0.853; for \B\ = 3, we obtain 
(1 + l/V3)/2 ^ 0.789. 



Proof. The probability of success is given by Theorem 2.2.2 where for y G {0, 1} 

|Bhl 



Py 



2"-i|-B 



b=0 



with Pyb = J2xef-'^(y)^b\x){x\Ul. Using the Cauchy-Schwarz inequality we can 
show that 

WPo - Pill? = [Tr(|po - Pi|I)]' < Tr[(po - pO'lTrfl^] = 2"Tr[(po - Pi)'], (3.1) 



or 



IIPo - Pilli < V2«Tr[(po-pi)2]. 
A simple calculation shows that 

Tr[(po-pi)'^ ^ 



2"|i3| 



The theorem follows from the previous equation, together with Theorem 2.2.2 
and Eq. KT\. □ 



3.3.3 AND function 

One of the simplest functions to consider is the AND function. Recall, that we 
always assume that Bob has no a priori knowledge about the outcome of the 
function. In the case of the AND, this means that we are considering a very 
specific prior: with probability 1/2 Alice will choose the only string x for which 
AND(x) = 1. Without any post-measurement information. Bob can already 
compute the AND quite well. 
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3.3.4. Theorem. Let Px{x) = 1/(2(2" - 1)) for all x G {0, 1}" \ {1 . . . 1} and 



Px(l...l) 



Let B = {+,x} with U+ = F", f/x = H^"" and Pb{+) 



PBiy<: 



1/2. Then Bob succeeds at STAR(AND) with probability at most 



There exists a strategy for Bob that achieves p. 



(3.2) 



Proof. Let |ci) = |1)®" and \hi) = [i/|l)]®". Eq. (Q is obtained by substi- 
tuting 



Po 
Pi 



I-|Ci)(Ci| ^I-\h,){h,\ 



2" - 1 2" 
ci)(ci| + \hi){hi\ 



and g = 1/2 in Theorem 



2.2.2 



□ 



In Theorem 3.4.3, we show an optimal bound for the case that Bob does 



indeed receive the extra information. By comparing the previous equation with 



Eq. (3.4) later on, we can see that for n = 1 announcing the basis does not help. 



However, for n > 1 we will observe an improvement of [2(2" + 2"/^ — 2)] ^. 



3.3.4 XOR function 

The XOR function provides an example of a Boolean function where we observe 
both the largest advantage as well as the smallest advantage in receiving post- 
measurement information: For strings of even length we show that without the 
extra information Bob can never do better than guessing the basis. For strings 
of odd length, however, he can do quite a bit better. Interestingly, it turns out 
that in this case the post-measurement information is completely useless to him. 
We first investigate how well Bob does at STAR(XOR) for two bases: 

3.3.5. Theorem. Let Px{x) = ^ for all x G {0,1}". Let B = {+, x} with 
U+ = F", [/x = i^®" and Pb(+) = Pb(x) = 1/2. Then Bob succeeds at 
STAR(XOR) with probability at most 

if n is even, 
if n is odd. 

There exists a strategy for Bob that achieves p. 
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Proof. Our proof works by induction on n. The case of n = 1 was addressed in 
Lemma 3.3.1 Now, consider n = 2: Let af^ = \{PqI + Pox) and cr|^'* = |(pi+ + 
pfx), where p'H and pfl are defined as p^y^ = ^ Exe{o,i}",xGXOR-i(j/) Ub\x){x\Ul 
with y G {0, 1} and b E B = {+, x}. A straightforward calculation shows that 

ll'^o - ^1 111 - 

We now show that the trace distance does not change when we go from strings 
of length n to strings of length n + 2: Note that we can write 



pr^^ = ^(pS^®pi? + pS^®pS?) 

psr = ^(pff®pS+pS">pS) 
pSr^^ = ^(p£^®pS+pS5®pS). 



Let ctq"^ = ^(Po+ + Pox^) and = |(pi+ + Pi"^)- A small calculation shows that 



(3.3) 



(n+2) ^(n+2) _ 1 r/ (n) 



-(P 



We then get that 



I (n+2) ^(n+2)|| 

jc^o -cr^ 111 



+ pS - 


(n) 
Pl+ - 


pK) ® 




S+p£^ 


(n) 
-Pl+ 


-pS?) 




S + pS 


(n) 
-Pl+ 


-p£^) 




S + pS? 


(n) 
-Pl+ 


-pi?) 


® |^+)(^+|] 


(i^r - 


O^l 111 




-(^1 111)' 



where ctq"''' = ^(Po++pix^) and a[^^ = ^(pi+ +Pox'')- Consider the unitary U = cr®" 
if n is odd, and U = a® (8>I if is even. It is easy to verify that = Ua^ 
and crj;"'* = Ua^^W. We thus have that \\cr^^ — cr^^\\i = Hctq"^ — cr("''||i and 
therefore 



I (n+2) -.("+2) II _ II (n) (n) , 



It then follows from Helstrom's Theorem 2.2.2 that the maximum probability 
to distinguish a^^'^'^ from aj;"^^^ and thus compute the XOR of the n + 2 bits is 
given by 

i ^ IICTn — Cr^ 111 



2 4 

which gives the claimed result. □ 



3.3. No post-measurement information 



53 



A similar argument is possible, if we use three mutually unbiased bases. Intu- 
itively, one might expect Bob's chance of success to drop as we had more bases. 
Interestingly, however, we obtain the same bound of 3/4 if is even. 

3.3.6. Theorem. Let Px{x) = ^ for all x e {0, 1}". Let i3 = {+, x,©} with 
U+ = F", f/x = H^"", and Uq = /T®" with Pb(+) = Pb(x) = Pb(0) = 1/3. 
Then Bob succeeds at STAR(XOR) with probability at most 



V 




if n is even, 
if n is odd. 



There exists a strategy for Bob that achieves p. 

Proof. Our proof is very similar to the case of only 2 mutually unbiased 
bases. The case of = 1 follows from Lemma |3.3.2[ This time, we have for 



n = 2: = |(pS + + pij^) and af^ = Ml + pS + P%)- We have 

||„(2) ^(2)|| 

Wo - 111 - J-- 

We again show that the trace distance does not change when we go from 
strings of length n to strings of length n + 2. We use the definitions from Eq. 



(3.3) and let 



Pir = ^(pio^®pg+pg®pg)- 



We can compute 



(n+2) (n+2) _ 1 [/-(n) -(n) 



ao -a 



-(a!")-aS"))®|vl/^)(vI/-| 

where aj") = (p^^ + p^ + pt^)/3, a^^ = {p^ + pti + pg)/3, = (pS'J + 
pS + pfeVs, ^i"^ = (pSi + piS + Pti)l^^ = (pS + piS + pg)/3, and 
ctJ"^ = (pj") + p["^ + pSqVS- Consider the unitaries [/ = a^", f/ = af", and 
U = af " if n is odd, and f/ = (t^"-i ® I, = af""^ ® I, and U = (xf ® I if n 
is even. It is easily verified that aj"^ = U^^'^W, aj"^ = f/af"^f/t, ctJ"^ = Uai^^U\ 
^(n) ^ ^^(n)^t, ^(-) = [7a(")f/t, and ai"^ = Ua^'^W. We then get that 

II (n+2) ^(n+2)|| _ n (n) (n)|| 
11*^0 ~ ^1 111 - 11^0 ~ ^1 111' 
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from which the claim follows. □ 

Surprisingly, if Bob does have some a priori knowledge about the outcome of 
the XOR the problem becomes much harder for Bob. By expressing the states in 
the Bell basis and using Helstrom's result, it is easy to see that if Alice chooses 
X G {0,1}^ such that with probability g, XOR(x) = 0, and with probability 
(1 — g), XOR(x) = 1, Bob's probability of learning XOR(x) correctly is minimized 
for g = 1/3. In that case. Bob succeeds with probability at most 2/3, which can 
be achieved by the trivial strategy of ignoring the state he received and always 
outputting 1. This is an explicit example where making a measurement does not 
help in state discrimination. It has previously been noted by Hunter |Hun03j that 
such cases can exist in mixed-state discrimination. 



3.4 Using post-measurement information 

We are now ready to advance to the core of our problem. We first consider 
the case where Bob does receive post-measurement information, but still has 
no quantum memory at his disposal. Consider an instance of PIq-STAR with a 
function f : X —>■ y and m = \B\ bases, and some priors Px and Pb on the sets X 
and B. If Bob cannot store any quantum information, all his nontrivial actions are 
contained in the first measurement, which must equip him with possible outputs 
Oi & y for each basis i = 1, . . . ,m. In other words, his most general strategy is a 
POVM with 13^1"^ outcomes, each labeled by the strings oi, . . . ,0m for Oi G y and 
m = \B\. Once Alice has announced b, Bob outputs Y = Of,. Here we first prove 
a general lower bound on the usefulness of post-measurement information that 
beats the guessing bound. Then, we analyze in detail the AND and the XOR 
function on n bits. 



3.4.1 A lower bound for balanced functions 

We first give a lower bound on Bob's success probability for any balanced function 
and any number of mutually unbiased bases, by constructing an explicit measure- 
ment that achieves it. Without loss of generality, we assume in this section that 
i3 = {0, . . . , m — 1}, as otherwise we could consider a lexicographic ordering of B. 

3.4.1. Theorem. Let f : X —>■ y be a balanced function, and let Px and Pb 

be the uniform distributions over X and B respectively. Let the set of unitaries 
G i3} give rise to \B\ mutually unbiased bases, and choose an encoding 
such that Vx,x' G X : {x\x') = d^x' ■ Then Bob succeeds at PIo-STAR(/) with 
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probability at least 



\y\-^ ifm = 2 

1^1(13^1+3) ''J ^' 

V — Pguess + \ 3|y|(2+|3;|(|y|+6)) IJ 171 — 6, 



2_ , 2(\y\+m-i) .fm>4 

■ 2\y\ ^ |y|2+3|y|(m-l)+m2-3m+2 ''■> '"' - ^■ 

where Pguess is the probability that Bob can achieve by guessing the basis as given 
in Lemma 3.2.3. In particular, we always have p > p guess- 

Proof. Our proof works by constructing a square-root type measurement that 
achieves the lower bound. As explained above, Bob's strategy for learning f{x) 
is to perform a measurement with |3^|''" possible outcomes, labeled by the strings 
Oi, ... ,0m for Oi E y and m = \B\. Once Ahce has announced b, Bob outputs 
fix) = Ob. 

Take the projector Pyb = Y^xaf-^iy) \^b){^b\ and pyb = \Pyb, where k = 
1/ = Let Mo^^..._o,„ denote the measurement operator corresponding 

to outcome oi, . . . ,0m- Note that outcome Oi, . . . , is the correct outcome for 
input state pyb if and only if Ob = y. We can then write Bob's probability of 
success as 



1^ I oi,...,o,^(^y \ \beB 



m\ 

We make use of the following measurement: 



Pobb 



3 



Mo„...,o. = (Y^obb) with S= Yl (T.Po^^ 

Clearly, we have Eoi,...,o„,ey ^oiv..,o„ = I and Voi,. . . , G 3^ : Mo,,...,o^ > by 
construction and thus we indeed have a valid measurement. We first show that 

S = CrJ.- 

oi,...,Om(^y \beB 

= Y E PobbPoyb'Poy,b" 

oi,...,o^€yb,b',b"&B 



E [^^°bb + '^ Y ^ObbPoyl 

oi,...,o^ey \ b bb'fii^b' 



+ Y^ PotbPoyb'Potb + Y PobbPoyb' Poyib" 

bb',b^b' bb'b",b^b',b^b",b'^b" 

-■[m\yr-^ + 2m(m - 1)13^1™"' + m(m - 1)13^1™"' + m(m - l)(m - 2)\yr-%m]l 
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where 62m = 1— <^2m and we have used the definition that for any b, Po^^b is a projec- 
tor and Exe;t \^b){^b\ = ^ which gives Eo.ey Po^h = Eo.ey Exe/-ife) = 
I. We can then write Bob's probabihty of success using this particular measure- 
ment as 

1 



Tr I I Vr 



Cmkm\y\ \ 

oi,—,om&y \ \beB 



Obb 



It remains to evaluate this expression. Using the circularity of the trace, we 
obtain 

Po},bPoy b' 

Ol,...,Omey \ b bb',b^b' 

hbPoy b'Poyi b b Poy V Pob b Poyi b" 

bb'b",bytV,by^b",b'T^b" bb'b" ,b^b' fi^tb" ,b'^b" 

+ XI PobbPoyb'Poy,b"Po^b + XI PobbPoyb'PobbPoyb' 

bb'b"b,b^b' ,b^b" ,b^b,b'^b" ,b'^b,b"^b bb',bjib' 

> [m\yr-^ + 6m(m - l)\yr~^ + 6m(m - l)(m - 2)\y\'^-%^ 

+ m(m - l)(m - 2)(m - 3)|3^|*('"-^)52m4m]Tr(I) + m(m - l)|3^r-'A:, 

where we have again used the assumption that for any b, Po^b is a projector 
and J2xex \^b){^b\ — ^ '^i^^ Tr(I) = \X\. For the last term we have used 
the following: Note that Tic(Po^i,Pobib') — k"^/]^], because we assumed mutually 
unbiased bases. Let r = Taiik(Po^bPo^,b') ■ Using Cauchy-Schwarz, wc can then 

bound TT{{Po,bPo,b'?) = T.\HPobbPoyb'f > ky{\x\\) > ky\x\' = k/\y\^ 

where Xi{A) is the i-th eigenvalue of a matrix A, by noting that r < k since 
rank(Poj^b) = rank(Po/5/) = k. Putting things together we obtain 



P> 



Cm'm 



where m = \B\, Cm = G'm.(l) + 3G'm(2) + Gm(3) and function Gm : N ^ N defined 
as Gfnii) — (y^i)! |y |™~' 11^=2 ^rnj- This expression can be simplified to obtain the 
claimed result. □ 



Note that we have only Tiscd the assumption that Alice uses mutually unbi- 
ased bases in the very last step to say that Tr {Pof^hPof,,b') = k'^/\X\. One could 
generalize our argument to other cases by evaluating Tr(Poj_(,Poj,/6') approximately. 

In the special case m = \y\ = 2 (i.e. binary function, with two bases) we 
obtain: 
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3.4.2. Corollary. Let f : {0, 1}" {0, 1} be a balanced function and let 
Px{x) = 2-" for all x G {0,1}". Let B = {0,1} with Uq = I®", Ui = H®"^ 
and -Pb(O) = -Pb(I) = 1/2. Then Bob succeeds at PIo-STAR(/) with probability 
p > 0.85. 



Observe that this almost attains the upper bound of ~ .853 of Lemma 3.3.1 in 
the case of no post-measurement information. In Section 3.5.2 we show that 
indeed this bound can always be achieved when post-measurement information 
is available. 

It is perhaps interesting to note that our general bound depends only on the 
number of function values |3^| and the number of bases m. The number of function 
inputs I A" I itself does not play a direct role. 

3.4.2 Optimal bounds for the AND and XOR function 

We now show that for some specific functions, the probability of success can even 
be much larger. We hereby concentrate on the case where Alice uses two or three 
mutually unbiased bases to encode her input. Our proofs thereby lead to explicit 
measurements. In the following, we again assume that Bob has no a priori knowl- 
edge of the function value. It turns out that the optimal measurement directly 



lead us to the essential idea underlying our algebraic framework of Section 3.5.1 



AND function 

3.4.3. Theorem. Let Px{x) = 1/(2(2'" - 1)) for all x e {0, 1}" \ {1 . . . 1} and 
Px(l..-1) = i Let B = {+, x} with U+ = I®", Uy, = H®'' and Pb(+) = 
-Pb(x) = 1/2. Then Bob succeeds at PIo-STAR(AND) with probability at most 



1 

p 



2 



2 + 



(3.4) 



2" + 2"/2 - 2 2" - 
There exists a strategy for Bob that achieves p. 

Proof. To learn the value of AND(a;), Bob uses the same strategy as in 



Section |3.4.1[ he performs a measurement with 4 possible outcomes, labeled by 
the strings 0+, Ox with o+, Ox G {0, 1}. Once Alice has announced her basis choice 
b G {+, x}. Bob outputs AND(x) = Oh- Note that without loss of generality we 
can assume that Bob's measurement has only 4 outcomes, i.e. Bob only stores 
2 bits of classical information because he will only condition his answer on the 
value of b later on. 

Following the approach in the last section, we can write Bob's optimal prob- 
ability of success as a semidefinite program: 

maximize | J2o+,o^ e{o,i} [^o+o^ Mo+o, ] 
subject to Vo+,Ox G {0,1} : Mq^ox ^ 0, 
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where 



^'00 — P0+ + POx , ^'01 — Po+ + Plx, 

bio = Pi+ + Pox , bii = pi+ + Plx , 

with Vy e {0, 1}, be {+,x} : pyb^ \AND-^y)\ ^xeAND-\y) Ub\x){x\Ul^. Consider 

H2, the 2-dimensional Hilbert space spanned by |ci) = and \hi) = |lx)®"- 

Let I Co) G H2 and {Hq) G 7^2 be the state vectors orthogonal to |ci) and \hi) 
respectively. They can be expressed as: 

, , (-l)"+i|ci) + 2"/2|/ii) 



\ho) 



2"/2|ci) 



- 1 



hi) 



V2^ 



Then — |co)(co| + |ci)(ci| = \ho){ho\ + \hi){hi\ is a projector onto H2. Let Tlx 
be a projector onto the orthogonal complement of 7^2- Note that the 60+ox ^'^'^ 
all composed of two blocks, one supported on 7^2 and the other on its orthogonal 
complement. We can thus write 



^'00 

boi 

bio 
bii 



2Iix 
2" - 1 

2" - 1 

2" - 1 




+ 
+ 



|co)(co| + |/?.o)(/lo 
2" - 1 
|co)(co| 

\ho){ho 



+ \hi){hi\ 
+|ci)(ci| + 



(3.5) 



We give an explicit measurement that achieves p and then show that it is optimal. 
Take 



M, 



00 



M, 



O+Ox 



|V'o+Ox)(V'o+Oxl, 



with Aoi = Aio = (1 + ?]) ^ where 



l-2^2^(-l)"+i2/3y^l^V2^ 
2^V2 



1^01) = a|co) +/5|ci), 

iV^io) = a\ho) + (3\hi) , 



with a and /? real and satisfying ce^ + = 1. We also set Mn — I — Mqo — Mqi 
Mio. We take 

p = (-1)" , ! 
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Putting it all together, we thus calculate Bob's probability of success: 

1 1 



P 



2 + 



2" + 2"/2 - 2 2'" - 1 



We now show that this is in fact the optimal measurement for Bob. For this 
we consider the dual of our semidefinite program above: 



minimize 



Tr(Q) 



subject to Vo+,Ox € {0,1} : Q > 



Our goal is now to find a Q such that p = Tt{Q) and Q is dual feasible. We can 
then conclude from the duality of SDP that p is optimal. Consider 



Q 



n 



2(2"-l) 



+ 



1 I 2— .2"'""'^'^/'^+2'^"'/^ 
2_3.2^/2+23"/2 



i\c,){c^\ + \h){h\) 



4(2^ t+2"-3) 



{\c,){h,\ + \c,){h\). 



Now we only need to show that the Q above satisfies the constraints, i.e. Vo+, Ox G 
{0, 1} -.Q > bo+oy,/4:- Let Q±_ = Il±QU^_ and Qy = n||Qn||. By taking a look at 

Eq. (3.5) one can easily see that Q± > ^ so that it is only left to show 

that 

Qll > for o+ox e {O,l},o+0x ^00. 

These are 2x2 matrices and this can be done straightforwardly. We thus have 
Tr(Q) = P S'lid the result follows from the duality of semidefinite programming. 

□ 



It also follows that if Bob just wants to learn the value of a single bit, he can do 
no better than what he could achieve without waiting for Alice's announcement 
of the basis b: 

3.4.4. Corollary. Let x e {0,1}, Pxix) = \ and f{x) = x. Let B = {+, x} 
with f/+ = I and Ux = H . Then Boh succeeds at PIo-STAR(/) with probability 
at most 

1 1 

There exists a strategy for Boh that achieves p. 

The AND function provides an intuitive example of how Bob can compute 
the value of a function perfectly by storing just a single qubit. Consider the 
measurement with elements {n||,n_L} from the previous section. It is easy to see 
that the outcome _L has zero probability if AND(a;) = 1. Thus, if Bob obtains that 
outcome he can immediately conclude that AND(a;) = 0. If Bob obtains outcome 
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II then the post-measurement states hve in a 2-dimensional Hilbert space (7^2); 
and can therefore be stored in a single qubit. Thus, by keeping the remaining 
state we can calculate the AND perfectly once the basis is announced. Our proof 
in Section 3.5.2 , which shows that in fact all Boolean functions can be computed 
perfectly if Bob can store only a single qubit, makes use of a very similar effect 
to the one we observed here explicitly. 



XOR function 

We now examine the XOR function. This will be useful in order to gain some 
insight into the usefulness of post-measurement information later. For strings 
of even length, there exists a simple strategy for Bob even when three mutually 
unbiased bases are used. 

3.4.5. Theorem. Let n e N be even, and let Px{x) = ^ for all x e {0,1}". 

Let B = {+, x,0} with U+ = I®", f/x = i/®" and Uq = K®", where K = 
(I + iax)/V2. Then there is a strategy where Bob succeeds at PIo-STAR(XOR) 
with probability p = 1. 

Proof. We first construct Bob's measurement for the first 2 qubits, which allows 
him to learn xi © X2 with probability 1. Note that the 12 possible states that 
Alice sends can be expressed in the Bell basis as follows: 

ioo) = i=(i$+) + 1$-)) H^^m = ^(i$+) + \^^)) 

|01) = -^(|vl/+) + |vl;-)) H^^m = ^(1$-) + \^-)) 
|10) = -^(|vl/+) - \^-)) HnW) = ^(1$-) - |vl/-)) 

111) = 4^(1$ + ) - 1$-)) if®2|ll) = -i^(|$+) - 1^ + )) 



V2' 



K^'m = ^(i$-)+^i^+)) 

i^^'lOl) = ^(^1$+) + 1^-)) 
v2 

K^'lll) = --^(|$-)-^|vl/-^)). 



Bob now simply measures in the Bell basis and records his outcome. If Alice now 
announces that she used the computational basis. Bob concludes that XiQ)X2 = 
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if the outcome is one of |$^) and Xi © X2 = 1 otherwise. If Ahce announces she 
used the Hadamard basis, Bob concludes that xi © X2 = if the outcome was 
one of {I'J''''), 1^"*")} and xi © X2 = 1 otherwise. Finally, if Alice announces that 
she used the © basis. Bob concludes that xi © X2 = if the outcome was one 
of {|$~), 1^^)} and Xi © X2 = 1 otherwise. Bob can thus learn the XOR of two 
bits with probability 1. To learn the XOR of the entire string. Bob applies this 
strategy to each two bits individually and then computes the XOR of all answers. 
□ 



Analogously to the proof of Theorem 3.4.5 we obtain: 



3.4.6. Corollary. Let n eN be even, and let Px{x) = ^ for all x e {0, 1}". 

Let B = {+, x} with = I®" and Ux = H®"^ . Then there is a strategy where 
Boh succeeds at PIo-STAR(XOR) with probability p = 1. 

Interestingly, there is no equivalent strategy for Bob if n is odd. In fact, as 
we show in the next section, in this case the post-measurement information gives 
no advantage to Bob at all. 

3.4.7. Theorem. Let n eN be odd, and let Px{x) = ^ for all x G {0, 1}". Let 

B = {+, x} with U+ = I®", f/x = i/®" and Pb{+) = Pb(x) = 1/2. Then Bob 
succeeds at PIo-STAR(XOR) with probability at most 

There exists a strategy for Bob that achieves p. 

Proof. Similar to the proof of the AND function, we can write Bob's optimal 
probability of success as the following semidefinite program in terms of the length 
of the input string, n: 



maximize 



4 Z]o+,ox6{o,i} Tr [60+ox ^0+0 



(n) 



subject to Vo+,Ox G {0, 1} : Mq^o^ > 0, 

Z]o+,Ox 6{0,1} ^o+ox = I) 



where 



uin) ^ H , in) 

and p2 = 2^ Eae{o,i}",xGXOR-i(o,) Ub\x){x\Ul The dual can be written as 

minimize |Tr((5*^"-*) 

subject to Vo+, Ox e {0, 1} : g(") > b^J^^ . 



62 



Chapter 3. State discrimination with post-measurement information 



Our proof is now by induction on n. For n = 1, let Q^^^ = 2pl. It is easy to 
verify that Vo+,Ox G {0, 1} : Q^^^ > l>h}oy, and thus Q*^^^ is a feasible solution of 
the dual program. 

We now show that for n + 2, Q^""*"^^ = |I is a feasible solution to the 
dual for n + 2, where Q''"^ is a solution for the dual for n. Note that the XOR of 
all bits in the string can be expressed as the XOR of the first n — 2 bits XORed 



with the XOR of the last two. Recall Eq. (3.3) and note that we can write 



pS = ^(|oo)(oo| + |ii)(ii|) = ^(|$+)($+| + 

pfl = \m)m + iio)(ioi) = \{\^^){^^\ + 

It is easy to see that p^l = Hp^^lH = ^(|<l>+)(<l>+| + |^+)(^+|) and pS^J = 

(2) 1 

Hpl^H = ^(|<l>~)(<l>-| + |^-)(^-|). By substituting from the ab ove equation we 
then obtain 

= pir^ + pt^'^ = ^((pS + pS) ® + (pS + pS) ® 

(pK + pS) ® + (pSI^ + pS) ® 

where we have used the fact that Q*^"^ is a feasible solution for the dual for n and 
that |$+)($+| + |$")($"| + |^^)(^+| + |^")(^"| = I- The argument for bl^^~^^\ 
fe^Q^^"* and ft^"'*'^'' is analogous. Thus Q^""*"^^ satisfies all constraints. 

Putting things together, we have for odd n that Ti{Q^'^'^'^^) = Tr((5*-"^) = 
Tr(Q(i)) and since the dual is a minimization problem we know that 

P < jTr(QW) = c 

as claimed. Clearly, there exists a strategy for Bob that achieves p = c. He can 



compute the XOR of the first n — 1 bits perfectly, as shown in Theorem 3.4.6 By 



Corollary 3.4.4 he can learn the value of the remaining n-th bit with probability 



p = c. □ 

We obtain a similar bound for three bases: 

3.4.8. Theorem. Let n e N be odd, and let Px{x) = ^ for all x G {0,1}"-. 
Let B = {+, x,0} with U+ = I®", t/x = i/®" and Uq = /sT®", where K = 
(I + ia^)/y/2, with Pb{+) = ^_b(x) = Pb{&) = 1/3. Then Bob succeeds at 
PIo-STAR(XOR) with probability at most 



2 V 

There exists a strategy for Bob that achieves p 
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Proof. The proof follows the same lines as Theorem 3.4.7 Bob's optimal 
probability of success is: 



XO0J 



maximize - „ Mo,o 

g / J I- O+OxO0 o+o 

o+,Ox,O0e{O,l} 

subject to Vo4.,Ox,O0 e {0, 1} G {0, 1} : Mo+oy^oQ > 0, 

^O+OxO0=I, 

o+,Ox,O0e{O,l} 



where 



and 



O+OxO0 / , 



Potb, 



Pobb 



The dual can be written as 



minimize |Tr(Q'^"')) 

subject to Vo+,Ox,Oo G {0,1} : > 

Again, the proof continues by induction on n. For n = 1, let Q*^^-* = 3pl. It is 
easy to verify that Vo+, Ox, o© G {0, 1} : Q^^^ > b^ojo^oQ and thus Q^^-* is a feasible 
solution of the dual program. The rest of the proof is done exactly in the same 
way as in Theorem 3.4.7 using that 

pSl = li\^-){^-\ + \^^){^^\) 
p?^ = li\^-){^-\ + \^^){^^\)- 

□ 



3.5 Using post-measurement information 
and quantum memory 

3.5.1 An algebraic framework for perfect prediction 

So far, we had assumed that Bob is not allowed to store any qubits and can only 
use the additional post-measurement information to improve his guess. Now, we 
investigate the case where he has a certain amount of quantum memory at his 
disposal. In particular, we present a general algebraic approach to determine the 
minimum dimension 2"^ of quantum memory needed to succeed with probability 
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1 at an instance of PIq-STAR(£^), for any ensemble £ = {Pyb, Pyb} as long as the 
individual states for different values of y are mutually orthogonal for a fixed b, 
i.e., Wy z E y TT{pyb,Pzb) = 0. In particular, we are looking for an instrument 
consisting of a family of completely positive maps p ApA\ adding up to 
a trace preserving map, such that rank(74) < 2'^. This ensures that the post- 
measurement state "fits" into q qubits, and thus takes care of the memory bound. 
The fact that after the announcement of b the remaining state ApybA^ gives full 
information about y is expressed by demanding orthogonality of the different 
post-measurement states: 

\/beB,yy^zey Apy,A^Ap,,A^ = 0. (3.6) 

Note that here we explicitly allow the possibility that, say, Ap^bA'^ = 0: this 
means that if Bob obtains outcome A and later learns b, he can exclude the 



output value z. What Eq. (3.6) also implies is that for all states and \(p) in 



the support of pyb and pzb, respectively, one has 74|'?/')(?/^|y4"''y4|y3)((y9|A''' = 0. Hence, 



introducing the support projectors Pyb of the Pyb, we can reformulate Eq. (3.6) as 

ybeB^y^zey APy,A^APz,A^ = 0, 

which can equivalently be expressed as 

^beB^yy^zey TT{A^APybA^APzb) =0, (3.7) 

by noting that A^A as well as the projectors are positive-semidefinite operators. 
As expected, we see that only the POVM operators M = A^A of the instrument 
play a role in this condition. Our conditions can therefore also be written as 
MPyfjMPzb = 0. From this condition, we now derive the following lemma. 

3.5.1. Lemma. Bob, using a POVM with operators {Mj}, succeeds at PIg-STAR 
with probability 1, if and only if 

1. for all i, rank{Mi) < 2^, 

2. for all y E y and b E B, [M, Pyb] = 0, where Pyb is the projection on the 
support of Pyb. 

Proof. We first show that these two conditions are necessary. Note that only 
the commutation condition has to be proved. Let M be a measurement operator 
from a POVM succeeding with probability L Then, for any y, b, we have by 



Eq. (3.7) that 



TT{MPybM{I - Pyb)) = 0, hence TT{MPyhMPyb) = Ti (MPybM). 
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Thus, by the positivity of the trace on positive operators, the cychcity of the 
trace, and P^^ = Pyb we have that 

0<TT{[M,Py,]^[M,Pyh]) 

= Tl{-{MPy,-Py,Mf) 

= TT {-MPybMPyb - PybMPybM + PybM^Pyb + MP^.M) = 0. 

But that means that the commutator [M, Pyb] has to be 0. 

Sufficiency is easy: since the measurement operators commute with the states' 
support projectors Pyb, and these are orthogonal to each other for fixed b, the 
post- measurement states of these projectors, oc \/MPybVM are also mutually 
orthogonal for fixed b. Thus, if Bob learns b, he can perform a measurement to 
distinguish the different values of y perfectly. The post-measurement states are 
clearly supported on the support of M, which can be stored in q qubits. Since 
Bob's strategy succeeds with probability 1, it succeeds with probability 1 for any 
states supported in the range of the Pyb- □ 



Note that the operators M of the instrument need not commute with the 
originally given states Pyb- Nevertheless, the measurement preserves the orthogo- 
nality of Pyb and Pzb with y z for fixed b, i.e., Ti^pybPzb) = 0. Now that we know 
that the POVM operators of the instrument have to commute with all the states' 
support projectors Pyb, we can invoke some well-developed algebraic machinery 
to find the optimal such instrument. 

Looking at Appendix |B| we see that M has to come from the commutant 
of the operators Pyb- These themselves generate a *-subalgebra A of the full 
operator algebra M{TC) of the underlying Hilbert space TC, and the structure of 
such algebras and their commutants in finite dimension is well understood. We 



know from Theorem B.4.7 that the Hilbert space Ti. has a decomposition (i.e.. 



there is an isomorphism which we write as an equality) 

n = ^J,^}C, (3.8) 

j 

into a direct sum of tensor products such that the *-algebra A and its commutant 
algebra Comm(^) = { M : VP G M{n) [P, M] = O} can be written 

A = ^B{J,)^Iic^, (3.9) 

j 

Comm(^) ^ Ij^ ® B{ICj). (3.10) 



Koashi and Imoto jKI02] . in the context of finding the quantum operations 
which leave a set of states invariant, have described an algorithm to find the 
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commutant Comm(^), and more precisely the Hilbert space decomposition of 



Eq. (3.8), of the states Pyb/TiPyt- They show that for this decomposition, there 
exist states aj\i on J'j, a conditional probability distribution {qj\i}, and states uj 
on )Cj which are independent of i, such that we can write them as 

Vi (Ji = ^ qj\iO-j\i ujj, 



Looking at Eq. (3.10), we see that the smallest rank operators M G Comm(=e/) 
are of the form Ijj ^ fo^' some j and {ip) G Kj, and that they are all 

admissible. Since we need a family of operators M that are closed to a POVM 
(i.e., their sum is equal to the identity), we know that all j have to occur. Hence, 
the minimal quantum memory requirement is 

min 2'' = max dim jTj- . (3-11) 
j 

The strategy Bob has to follow is this: For each j, pick a basis {|efc|j)} for /Cj and 
measure the POVM {Ij^ \ek\j) {ek\j\} , corresponding to the decomposition 

T^ = ^Jj® \ek\j){ek\j\, 

jk 

which commutes with the Pyb. For each outcome, he can store the post-measurement 



state in q qubits [as in Eq. (3.11)], preserving the orthogonality of the states for 
different y but fixed b. Once he learns b he can thus obtain y with certainty. 

Of course, carrying out the Koashi-Imoto algorithm may not be a straight- 
forward task in a given situation. We now consider two explicit examples that 
one can understand as two special cases of this general method: First, we show 
that in fact all Boolean functions with two bases (mutually unbiased or not) can 
be computed perfectly when Bob is allowed to store just a single qubit. Second, 
however, we show that there exist three bases such that for any balanced func- 
tion. Bob must store all qubits to compute the function perfectly. We also give 
a recipe how to construct such bases. 

3.5.2 Using two bases 

For two bases. Bob needs to store only a single qubit to compute any Boolean 



function perfectly. As outlined in Section 3.5.1 , we need to show that there exists 



a measurement with the following properties: First, the post-measurement states 
of states corresponding to strings x such that f{x) = are orthogonal to the 
post- measurement states of states corresponding to strings y such that f{y) = 1. 
Indeed, if this is true and we keep the post-measurement state, then after the basis 
is announced, we can distinguish perfectly between both types of states. Second, 
of course, we need that the post-measurement states are supported in subspaces of 
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dimension at most 2. The following little lemma shows that this is the case for any 
Boolean function. The same statement has been shown independently many times 
before in a variety of different contexts. For example, Masanes and also Toner and 
Verstraete have shown the same in the context of non-local games |Mas06l ITV06j . 
The key ingredient is also present in Bathia's textbook |Bha97] . Indeed, there 
is a close connection between the amount of post-measurement information we 
require, and the amount of entanglement we need to implement measurements in 
the setting of non-local games. We return to this question in Chapter [6j 

3.5.2. Lemma. Let f : {0,1}" {0,1} and Pot = ^x&f--^io)Ub\x){x\Ul where 
Uo = I and Ui = U , then there exists a direct sum decomposition of the Hilbert 
space 

m 

7^ = 07^i, with diuiUi < 2, 

i=l 

such that Poo ^.''^d Pqi can he expressed as 

m 

n^Poonj, 



P 



00 



i=l 



Poi = 5^n,Poin, 



i=l 



where Ilj is the orthogonal projector onto Tij. 

Proof. There exists a basis so that Pqo and Pqi can be written as 



00 



I, 



no 



ni xno 



jioxni 



n\Xn\ 



01 



4 00 



4 01 

noXni 

^Tll XTll. 



where Uy = \f~^{y)\ is the number of strings x such that f{x) = y, and we have 
specified the dimensions of the matrix blocks for clarity. In what follows these 
dimensions will be omitted. We assume without loss of generality that no < ni. 
It is easy to check that, since Pqi is a projector, it must satisfy 



Consider a unitary of the following form 



V 





Vi 

where Vq and Vi are uq x uq and ni x ni unitaries respectively. Under such a 
unitary, Pqo and Pqi are transformed to: 

VPooV^ = Poo, 



■ VoA^'^V^ VoA'^V^' 
{VoA^'^Vly ViA'^V^ 



(3.13) 
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We now choose Vq and Vi from the singular value decomposition (SVD, jHJ85t 
Theorem 7.3.5]) of = V^DVi which gives 

no 
k=l 

where 4 > 0, {uk\ui) = {vk\vi) = 6ki. Since and A°^{A^^y are sup- 



ported in orthogonal subspaces, it also holds that V/c, / : {uk\vi) = 0. Eqs. (3.12) 



and (3.13) now give us 

VoA'Xil^, - VoA'W^) = E^li dl\uk){ukl 
V^A''V^{I^, - V^A'W^) = j:7=idl\vk){vk\. 

Suppose for the time being that all the dk are different. Since they are all non- 
negative, all the dl will also be different and it must hold that 

"0 

VoA'^'V^ = J2al\u,){u,\, 

k=l 

no ni 
k=l fc=no+l 

for some a^, and \vk) with 1 < k < ni.. Note that we can choose \vk) such that 
Wk,k',k 7^ k' : {vk\vk') = and VA;, / : {uk\vi) = 0. We can now express VPoiV"^ 
as 

no ni 

= 'Y[o'l\uk){uk\+ dk{\uk){vk\ + \vk){uk\) + al\vk){vk\] + ^ al\vk){vk\- 

k=l fc=no+l 

It is now clear that we can choose all Hk = span{|-Ufc), \vk)}, and TCk' = span{\vk')} 
which are orthogonal and together add up to 7-^. 

In the case that all the dk are not different, there is some freedom left in 
choosing \uk) and \vk) that still allows us to make VoA°°Iq^ and ViA^^Vj^ diagonal 
so that the rest of the proof follows in the same way. □ 

In particular, the previous lemma implies that the post-measurement states 
corresponding to strings x for which f{x) = are orthogonal to those correspond- 
ing to strings x for which f{x) = 1, which is expressed in the following lemma. 

3.5.3. Lemma. Suppose one performs the measurement given by {Ilj : i G [m]}. 
If the outcome of the measurement is i and the state was Ub\x) , then the post- 
measurement state is 

. T^iUb\x) 
\x, t, b) :^ 

\x\UlTliUb\x) 
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The post-measurement states satisfy 

\/x e f~\0), x' e f"\l), ie[m]: {x,i,b\x',i,b) = 0. 
Proof. The proof follows straightforwardly from that fact that the Hi commute 



with both Poo and Pqi (which follows from Lemma 3.5.2). □ 



Now we are ready to prove the main theorem of this section. 

3.5.4. Theorem. Let \y\ = \B\ = 2, then there exists a strategy for Bob such 
that he succeeds at PIi-STAR(£^) with probability p = I, for any function f and 
prior Px on X . 

Proof. The strategy that Bob uses is the following: 

• Bob performs the measurement given by {Ilj : i G [m,]}. 

• He obtains an outcome i G [m] and stores the post-measurement state which 
is supported in the at most two-dimensional subspace Tij. 

• After the basis 6 G {0, 1} is announced, he measures {P^h-, P\h\ and reports 
the outcome of this measurement. 



By Lemma 3.5.3 this leads to success probability L □ 



Our result also gives us a better lower bound for all Boolean functions than 



what we had previously obtained in Section 3.4.1 Instead of storing the qubit 



Bob now measures it immediately along the lines of Lemma 3.3.1 It is not too 



difficult to convince yourself that for one qubit the worst-case post-measurement 



states to distinguish are in fact those in Lemma 3.3.1 



3.5.5. Corollary. Let \y\ = \B\ = 2, then Bob succeeds at PIo-STAR(£^) with 
probability at least p > (1 + l/V2)/2. 



In particular, our result implies that for the task of constructing Rabin-OT 
in |DFSS05] it is essential for Alice to choose a random function / from a larger 
set, which is initially unknown to Bob. 

As a final remark, note that the prior distributions do not play any role. 
Likewise, it is not actually important that the states pyb are proportional to 
projectors: we only require that for all b G {0, 1}, the states pofe and pu are 
orthogonal. 
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3.5.3 Using three bases 

We have just shown that Bob can compute any Boolean function perfectly when 
two bases are used. However, we now show that for any balanced Boolean func- 
tion there exist three bases, such that Bob needs to store all qubits in order to 
compute the function perfectly. The idea behind our proof is that for a particular 
choice of three bases, any measurement operator that satisfies the conditions set 



out in Lemma 3.5.1 must be proportional to the identity. This means that we 
cannot reduce the number of qubits to be stored by a measurement and must 
keep everything. First, we prove the following lemma which we need in our main 
proof. 

3.5.6. Lemma. Let M he a self-adjoint matrix which is diagonal in two mutually 
unbiased bases, then M must be proportional to the identity. 

Proof. Let \x) \ux) x G {1, . . . , c?} be the two MUBs and let m^. and m'^ be the 
eigenvalues corresponding to \x) and \ux) respectively, then we can write 



x=l a;'=l 

From the previous equation, it follows that 

d ^ 
{x\M\x)=mx = J2<'\Mx)\^ = ^TrM, 

x'=l 

which implies the desired result. □ 



We are now ready to prove the main result of this section. 



3.5.7. Theorem. Let \y\ = 2 and \B\ = 3, then for any balanced function f 
and prior Px on X which is uniform on the pre-images f~^{y), there exist three 
bases such that Bob succeeds at PIg-STAR(£^) with probability p = 1 if and only 
if q = \ogd. 

Proof. Let Pqo = Exe/-Mo) ^oi = UiPqqUI and P02 = U2P00UI. Also, 

let s : /^^(O) f^^iX) be a bijective map, and let Sx = s{x). By a reordering of 
the basis. Poo? Ui and U2 can be written as 



P 



00 



^2 



where all the blocks are of size {d/2) x {d/2). Pqi and P02 then take the following 
form: 



P 



01 



^OOfjOOt 
(^00f;10t)t 



fjOOfjlOt 



P 



02 



oot 
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It follows from Lemma 3.5.1, that we only have to prove that [M, Pqo] = 
[M, Poi] = [M, P02] = implies that M must be proportional to the identity. 
Write 



M 



(MOi)t Mil 



Commutation with Pqo implies M^^ = 0. Commutation with Pqi and P02 implies 



00 ^OOf^OOt. 



[M' 

^OOr^lOt^ 



0, 
0, 



11 



(3.14) 
(3.15) 
(3.16) 
(3.17) 



We choose Ui and U2 in the following way: 



f/i 



f/2 



xG/-i(0) 

E 

a;6/-i(0) 



a^(|x)(x| + \s^){s^\) + a/1 - a2(|x)(s3;| - \s^){x\) 



^x{\ux){u^ \ + |t^x)(^^i^|) + a/1 - a2.(|u^)(i;2.| - |i;a;)(Mx|) 



with G [0, 1], satisfying = a^' if and only if x 

\ux) and \vx) such that 



x'. Furthermore, choose 



Vx,x'g/ (0), (xlt;^;/) = (s^Im^;/) = 0, = Ks^^Iw^/)] =2/c?. 



With this choice for Ui and f/2 we have that 

xe/-i(o) 



f^OOf^OOt 



i.e., and {l^x)} form an eig enbasis for U^°U°°^ and t/o°f^2°^ respectively. 

Furt herm ore, since all the are different, the eigenbases are unique. Now, using 
Eq. ( |3.14| ), we see that must commute with both [/°°[/°°"^ and UfU^^\ and 
since their eigenbases are unique, it must be true that is diagonal in both 
{|a;)} and Using the result of Lemma 3.5.6 it follows that = moId/2- 



In exactly the same way we can prove that M^ = railfi/2 using Eq. (3.15). It 
remains to prove that = mi, which follows directly from either Eq. (3.16) or 
Eq. dslTl). □ 



From our proof it is clear how to construct Ui and f/2- For Pqo as defined 
above, we could choose vectors of the form \x) = \0)\x) and Is^,.) = |l)|a;) where 
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X e {O,!}""-*^ to construct Ui. For U2 we could then pick Imj,) = |0)if®"''^|x) 
and analogously \vx) = \l)H^"'~^\x) . As we will see in Chapter [6| our example 
shows that for non-local games we cannot hope to prove a statement analogous 
to [MasOGj ITV06] for three measurement settings where each measurement has 
two outcomes. 

Note, however, that whereas we know that for such unitaries Bob must store 
all qubits in order to compute the value of the function perfectly, it remains 
unclear how close he can get to computing the function perfectly when storing 
fewer qubits. In particular, he can always choose two of the three bases, and 
employ the strategy outlined in the previous section: he stores the one qubit that 
allows him to succeed with probability 1 for two of the bases. If he gets the 
third basis then he just flips a coin. In this case, he is correct with probability 
2/3 + 1/(3-2) = 5/6 for a balanced function and a uniform prior. It remains an 
important open question to address the approximate case. 



3.6 Conclusion 

We have introduced a new state discrimination problem, motivated by cryptog- 
raphy: discrimination with extra information about the state after the measure- 
ment, or, more generally, after a quantum memory bound applies. We have left 
most general questions open, but we found fairly complete results in the case of 
guessing y = f{x) with mutually unbiased encodings. 

We have shown that storing just a single qubit allows Bob to succeed at PI- 
STAR perfectly for any Boolean function and any two bases. In contrast, we 
showed how to construct three bases such that Bob needs to store all qubits in 
order to compute the function perfectly. We have also given an explicit strategy 
for two functions, namely the AND and the XOR. More generally, it would be 
interesting to determine, how many qubits Bob needs to store to compute f{x) 
perfectly for any function f : X ^ y in terms of the number of outputs |3^| 
and the number of bases \B\. It should be clear that the algebraic techniques 
of Section 3.5.1 allow us to answer these questions for any given function in 
principle. However, so far, we have not been able to obtain explicit structures 
for wider classes of functions. Our results imply that in existing protocols in 
the bounded quantum storage model |DFSS05] we cannot restrict ourselves to a 
single fixed function / to perform privacy amplification. Note that our algebraic 
framework can also address the question of using more than one function, where 
/ is also announced after the memory bound applies |DFSS05] : we merely obtain 
a larger problem. Yet, it is again difficult to determine a general bound. 

In the important case of two mutually unbiased bases and balanced functions. 



we have shown (Theorem 3.3.3 and Corollary 3.5.5) that there exists a clear 
separation between the case where Bob gets the post-measurement information 
(PI-STAR) and when he does not (STAR). Namely, for any such function, Bob's 
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optimal success probability is never larger than (1 + l/\/2)/2 ^ 0.853 for STAR 
and always at least as large as the same number for PI-STAR. 

In some cases the gap between STAR and PI-STAR can be more dramatic. 
The XOR function on strings of even length with two mutually unbiased bases 
is one of these cases. We have shown that in this case the advantage can be 
maximal. Namely, without the extra information Bob can never do better than 
guessing the basis, with it however, he can compute the value of the function 
perfectly. This contrasts with the XOR function on strings of odd length, where 
the optimal success probabilities of STAR and PI-STAR are both (1 + l/\/2)/2 
and the post-measurement information is completely useless for Bob. It would 
be interesting to see, how large the gap between STAR and PI-STAR can be for 
any function / : {0, 1}'" {0, 1}^ where k > 2. We return to this question in 
Chapter |6.4[ 

It would also be nice to show a general lower bound for non-balanced functions 
or a non-uniform prior. As the example for 3 bases showed, the uniform prior is 
not necessarily the one that leads to the largest gap, and thus the prior can play 
an important role. Another generalization would be to consider functions of the 
form / : [rf]" ^ [c/]^ 

We now turn our attention to uncertainty relations. These will play an impor- 
tant role in locking in Chapter |5} In the problem of locking, we also distinguish 
measurement with basis information, analogous to our PI^-STAR with q = n, 
and without corresponding to PIq-STAR. So far, our objective has been to obtain 
an accurate guess of a value, e.g. y = f{x). In Chapter [5| we are interested 
in a slightly different problem: How can we maximize the classical mutual in- 
formation? In particular, can we use mutually unbiased bases to obtain locking 
effects? 



Chapter 4 



Uncertainty relations 



Uncertainty relations lie at the very core of quantum mechanics. Intuitively, 
they quantify how much we can learn about different properties of a quantum 
system simultaneously. Some properties lead to very strong uncertainty relations: 
if we decide to learn one, we remain entirely ignorant about the others. But 
what characterizes such properties? In this chapter, we first investigate whether 
choosing our measurements to be mutually unbiased bases allows us to obtain 
strong uncertainty relations. Sadly, it turns out that mutual unbiasedness is not 
sufficient. Instead, we need to consider anti-commuting measurements. 

4.1 Introduction 

Heisenberg first realized that quantum mechanics leads to uncertainty relations 
for conjugate observables such as position and momentum |Hei27] . Uncertainty 
relations are probably best known in the form given by Robertson |Rob29] . who 
extended Heisenberg's result to any two observables A and B. Robertson's re- 
lation states that if we prepare many copies of the state lip), and measure each 
copy individually using either A or i?, we have 



where AX = ^y {i/j\X'^\iIj) — {ip\X\ip)'^ for X G {A, B} is the standard deviation 
resulting from measuring \ip) with observable X. Recall from Chapter [2| that 
classically we always have [A, B] = 0, and there is no such limiting lower bound. 
Hence, uncertainty relations are another characteristic that sets apart quantum 
theory. The consequences are rather striking: even if we had a perfect measure- 
ment apparatus, we are nevertheless limited! 

Entropic uncertainty relations are an alternative way to state Heisenberg's un- 
certainty principle. They are frequently a more useful characterization, because 
the "uncertainty" is lower bounded by a quantity that does not depend on the 
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state to be measured |Deu83t IKra87j . Recently, entropic uncertainty relations 
have gained importance in the context of quantum cryptography in the bounded 
storage model, where proving the security of such protocols ultimately reduces to 
establishing such relations |DFR+07j . Proving new entropic uncertainty relations 
could thus give rise to new protocols. Intuitively, it is clear that uncertainty re- 
lations have a significant impact on what kind of protocols we can obtain in the 
quantum settings. Recall the cryptographic task of oblivious transfer from Chap- 
ter [1} the receiver should be able to extract information about one particular 
property of a system, but should learn as little as possible about all other prop- 
erties. It is clear that, without placing any additional restrictions on the receiver, 
uncertainty relations intuitively quantify how well we are able to implement such 
a primitive. 

Entropic uncertainty relations were first introduced by Bialynicki-Birula and 
Mycielski |BBM75j . For our purposes, we will be interested in uncertainty re- 
lations in the form put forward by Deutsch |Deu83j . Following a conjecture by 
Kraus |Kra87j . Maassen and Uffink |MU88j have shown that if we measure the 
state I'?/') with observables A and B determined by the bases A = . . . , lad)} 

and B = {\bi) , . . . , \bd)} respectively, we have 

^ {H{Am + H{B\\m > -\ogc{A,B), 
where c{A,B) = max{|(a|6)| | \a) G A, \b) G B}, and 

d 

i7(;r||^)) = -5^|(^|x,)piogKv^|x,)p 
1=1 

is the Shannon entropy |Sha48] arising from measuring the state {ip) in the basis 
X = {|a;i), . . . , \xii)}- In fact, Maassen and Uffink provide a more general state- 
ment which also leads to uncertainty relations for higher order Renyi entropies. 
Such relations have also been shown by Bialynicki-Birula |BB06j for special sets 
of observables. Note that the above relation achieves our initial goal: the lower 
bound no longer depends on the state but only on A and B itself. What is 
the strongest possible relation we could obtain? That is, which choices of A and 
B maximize — logc(^, ^B)? It is not hard to see that choosing A and B to be 



mutually unbiased (see Section 2.4) provides us with a lower bound of {\ogd)/2 
which is the strongest possible uncertainty relation: If we have no entropy for one 
of the bases, then the entropy for the other bases must be maximal. For example, 
in case of a one qubit system of d = 2 choosing A = {|0), |1)} and B = {|+), |— )} 
to be the computational and the Hadamard basis respectively, we obtain a lower 
bound of 1/2. 

Can we derive a similar relation for measurements using three or more ob- 
servables? Surprisingly, very little is known for a larger number of measurement 



settings |Aza04j . Sanchez- Ruiz |San93t ISR95j (using results of Larsen |Lar90] ) 



4.1. Introduction 



77 



has shown that for measurements using all + 1 mutually unbiased bases, we can 
obtain strong uncertainty relations. Here, we provide an elementary proof of his 
result in dimension = 2". Given the fact that mutually unbiased bases seem 
to be a good choice if we use only two or + 1 measurement settings, it may be 
tempting to conclude that choosing our measurements to be mutually unbiased 
always gives us good uncertainty relations for which the lower bound is as large as 
possible. Numerical results for MUBs in prime dimensions up to 29 indicate that 
MUBs may indeed be a good choice [DHL"*" 04] . However, we show that merely be- 
ing mutually unbiased is not sufficient to obtain strong uncertainty relations. To 
this end, we prove tight entropic uncertainty relations for measurements in a large 
number of mutually unbiased bases (MUBs) in square dimensions. In particular, 
we consider any MUBs derived from mutually orthogonal Latin squares jWBOSj . 
and any set of MUBs obtained from the set of unitaries of the form {U ^ U*}, 
where {U} gives rise to a set of MUBs in dimension s when applied to the basis 
elements of the computational basis. For any s, there are at most s + 1 such 



MUBs in a Hilbert space of dimension d = s^: recall from Section 2.4 that we can 
have at most s + 1 MUBs in a space of dimension s. Let B be the set of MUBs 
coming from one of these two constructions. We prove that for any subset T C B 
of these bases we have 

inin^if(S||^)) = Elog(i. 

\w) ^ 

Our result shows that one needs to be careful to think of "maximally in- 
compatible" measurements as being necessarily mutually unbiased. When we 
take entropic uncertainty relations as our measure of "incompatibility" , mutually 
unbiased measurements are not always the most incompatible when considering 
more than two observables. In particular, it has been shown |HLSW04] that 
if we choose approximately (logci)'^ bases uniformly at random, then with high 
probability min|^)(l/|T|) X^bst -^('^1 1"^)) — logc? — 3. This means that there exist 
(logc?)'^ bases for which this sum of entropies is very large, i.e., measurements in 
such bases are very incompatible. However, we show that when d is large, there 
exist Aj/d mutually unbiased bases that are much less incompatible according to 
this measure. When considering entropic uncertainty relations as a measure of 
"incompatibility" , we must therefore look for different properties for the bases to 
define incompatible measurements. 

Luckily, we are able to obtain maximally strong uncertainty relations for two- 
outcome measurements for anti- commuting observables. In particular, we obtain 
for Fi, . . . , V K with {Fj, Fj} = that 

K 



where if(Fj|p) = — -,^| Tr(F^p) log Tr(F^p) and F°, F] are projectors onto 
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the positive and negative eigenspace of Tj respectively. Thus, if we have zero 
entropy for one of the terms, we must have maximal entropy for all others. For 
the collision entropy we obtain something slightly suboptimal 

for large K, where H2(Tj\p) = —logJ2be{oi}'^^(^^jP)^- Especially our second 
uncertainty relation is of interest for cryptographic applications. 



4.2 Limitations of mutually unbiased bases 

We first prove tight entropic uncertainty for measurements in MUBs in square 
dimensions. We need the result of Maassen and Uffink |MU88j mentioned above: 



4.2.1. Theorem (Maassen and Uffink). Let Bi andB2 be two orthonormal 
basis in a Hilbert space of dimension d. Then for all pure states 



1 



where c{Bi,B2) = max {| (61I62) | | l&i) G Bi, I62) G B2}. 



The case when Bi and B2 are MUBs is of special interest for us. More generally. 



when one has a set of MUBs a trivial application of Theorem |4.2.1| leads to the 
following corollary also noted in |Aza04j . 



4.2.2. Corollary. Let B = {Bi, . . .,Bm} be a set of MUBs in a Hilbert space 
of dimension d. Then 



if:,(H,ii,)),!2|i?. 



Proof. Using Theorem 4.2.1 one gets that for any pair of MUBs Bt and Bf 
with t ^ t' 

l[H{BM) + H{B,m>^-^^. 
Adding up the resulting equation for all pairs t t' we get the desired result. □ 



We now show that this bound can in fact be tight for a large set of MUBs. 
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4.2.1 MUBs in square dimensions 



Corollary |4.2.2| gives a lower bound on the average of the entropies of a set of 
MUBs. But how good is this bound? We show that the bound is indeed tight 
when we consider product MUBs in a Hilbert space of square dimension. 

4.2.3. Theorem. Let B = {Bi, . . . ,Bm} with m > 2 be a set of MUBs in a 
Hilbert space Ti of dimension s. Let Ut be the unitary operator that transforms 
the computational basis to Bf Then V = {Vi, . . . , Vm}, where 

Vt = {Ut\k)®u:\l) \k,le[s]}, 

is a set of MUBs inTi^Ti, and it holds that 

.inif:^(V,ll«)^!^, 



t=l 



where d = dim(7-^ ®'H) = . 

Proof. It is easy to check that V is indeed a set of MUBs. Our proof works by 
constructing a state \ip) that achieves the bound in Corollary 4.2.2 It is easy to 
see that the maximally entangled state 

^ k=l 

= lip) for any U G U((i). Indeed, 

(ib\U (^U*\^) -- 



satisfies U ®U* 



-y.^k\u\i){k\w\i) 

k,l=l 

^X](fc|f/|/)(/|f/t|A:) 



kA=l 



= -TiUU^ = 1. 
s 

Therefore, for any t G [m] we have that 

HiVtim = -j2mut®u:mHog\{ki\ut 

kl 

= -$^Kfc/|V^)plogKA;/|^)p 

kl 

hgd 

= log s = ——. 



u; 



Taking the average of the previous equation over all t we obtain the result. □ 
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4.2.2 MUBs based on Latin squares 

We now consider mutually unbiased bases based on Latin squares |WB05] as 



described in Section 2.4.1 Our proof again follows by providing a state that 



achieves the bound in Corollary 4.2.2 which turns out to have a very simple 
form. 

4.2.4. Lemma. Let M = {Bi, . . . ,Bm} with m > 2 be any set of MUBs in a 
Hilbert space of dimension d = s"^ constructed on the basis of Latin squares. Then 



ininl^i7(S||^)) = ^. 

U A m < ^ ) 



Proof. Consider the state IV') = |1, 1) and fix a basis Bt = {\Vij)\i,j G [s]} G B 
coming from a Latin square. It is easy to see that there exists exactly one j G [s] 
such that {v{ j\l, 1) = ^/^/s. Namely this will be the j G [s] at position (1, 1) in 
the Latin square. Fix this j. For any other i E [s], i ^ j , we have {v{^\l,l) = 0. 
But this means that there exist exactly s vectors in B such that l)p = 1/s, 

namely exactly the s vectors derived from \v\j) via the Hadamard matrix. The 
same argument holds for any such basis i3 G T. We get 

j2h{b\\i,i)) = 5^ 5^ i«,ii,i)riogi«,ii,i)r 

= iTls-log- 
s s 

logrf 



The result then follows directly from Corollary 4.2.2 



□ 



4.2.3 Using a full set of MUBs 

We now provide an alternative proof of an entropic uncertainty relation for a full 
set of mutually unbiased bases. This has previously been proved in |San93[[SR95j . 
We already provided an alternative proof using the fact that the set of all mutually 
unbiased bases forms a 2-design jBW07] . Here, we provide a new alternative 
proof for dimension c? = 2" which has the advantage that it neither requires the 
introduction of 2-designs, nor the results of |Lar90j that were used in the previous 
proof by Sanchez- Ruiz [San93t ISR95j . Instead, our proof is extremely simple: 
After choosing a convenient parametrization of quantum states, the statement 
follows immediately using only elementary Fourier analysis. 

For the parametrization, we first introduce a basis for the space of 2" x 2" 



matrices with the help of mutually unbiased bases. Recall from Section |2.4| that 
in dimension 2", we can find exactly 2" + 1 MUBs. 
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4.2.5. Lemma. Consider the Hermitian matrices 

X'G{0,1}" 

for be [d + 1], j e [d — 1] and for all x, x' G {0, 1}" and b ^ b' e [d + 1] we have 
= 1/d. Then the set {I}U{5'^ | 6 G [ci+ 1], j G [d — 1]} forms a basis for 
the space of d x d matrices, where for all j and b, Si is traceless and {SD^ = I. 

Proof. First, note that we have {d + l){d — 1) + 1 = d"^ matrices. We now show 
that they are all orthogonal. Note that 

TT{si)= (-ir = o, 

xe{o,i}" 

since j ^ 0, and hence 5*^ is traceless. Hence Tr(IS'^) = 0. Furthermore, 

TT{sisi;)= (-ir(-iK-^-'Ka:.k',,)r. (4.1) 

x,x'(^{0,l}" 



For b ^ b', Eq. ^ gives us MSlSl,) = (l/d) (E.'(-l)'' ) = 0, 

since j,f ^ 0. For b = b', but j ^ f, we get Tr(S^\S^',') = Ex(-l)^^®^"^'' = 
since j © j' ^ 0. 

Finally, {Sl)^ = E..'(-lK^(-lK^>,)(x,||x',)(x',| =1. □ 

Since {I, Si} form a basis for the dx d matrices, we can thus express the state 
p of a d-dimensional system as 



\ beld+i] jeld-i] f 



for some coefficients s\ G M. It is now easy to see that 

4.2.6. Lemma. Let p be a pure state parametrized as above. Then 

be[d+i]je[d-i] 

Proof. If p is a pure state, we have Tr(p^) = 1. Hence 

TV) = ^(Tr(I)+ E E (^D'Tr(I)) 

\ be[d+i]je[d-i] J 
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from which the claim follows. □ 
Suppose now that we are given a set of + 1 MUBs Bi, . . . , Bd+i with Bb = 
{\xb) I X G {0, 1}"}. Then the following simple observation lies at the core of our 
proof: 

4.2.7. Lemma. Let \xb) be the x-th basis vector of the b-th MUB. Then for any 
state p 

Ti{\xb){xb\p) 



d 

Proof. We have 



Tr(|a;fc)(xf,|p) = ^ | Tr(|xfc)(xb|) + ^ 4'Tr(5'^/|a;b)(x6|) 

Suppose b ^ b'. Then Tr(^^' = {M d)Y.^,{-\y-^' = 0, since j ^ 0. 
Suppose b = b'. Then TT{Si,\xb){xb\) = T.^'i-'^V'^' li^bK)]'^ = from 
which the claim follows. □ 

We are now ready to prove an entropic uncertainty relation for mutually 
unbiased bases. 

4.2.8. Theorem. Let S = {Bi, . . . ,Bn} be a set of mutually unbiased bases. 
Then 

b&[N] 

Proof. First, note that we can define functions fb{j) = si for j G [rf — 1] 
and /,(0) = 5° = 1. Then fb{x) = (l/v^)(E,e{o,...,d-i}(-l)'"4) is the Fourier 
transform of fb and {l/\/d)fb{x) = TT{\xb){xb\p) by Lemma 



4.2.7 



Thus 



be[N] bG[N] xe{o,i}" 

b X 

b j 

= -log^(iV + rf-l), 

where the first inequality follows from Jensen's inequality and the concavity of 
log. The next equality follows from Parseval's equality, and the last follows from 
the fact that |\E') is a pure state and Lemma 4.2.6 □ 
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4.2.9. Corollary. Let S = {Bi, . . . ,Bn} be a set of mutually unbiased bases. 
Then 



b&[N] 



dN 



In particular, for a full set of N = d + 1 MUBs we have (l/N) X];, |^)) > 
log((rf + l)/2). 



Proof. This follows immediately from Theorem 4.2.8 and the fact that H(-) > 
H^i-). □ 



It is interesting to note that this bound is the same that arises from inter- 
polating between the results of Sanchez-Ruiz |San93[ ISR95j and Maassen and 
Uffink |MU88] as was done by Azarchs |Aza04j . 



4.3 Good uncertainty relations 

As we saw, merely choosing our measurements to be mutually unbiased is not 
sufficient to obtain good uncertainty relations. However, we now investigate mea- 
surements using anti- commuting observables for which we do obtain maximally 
strong uncertainty relations! In particular, we consider the matrices Fi, . . . , T2ni 
satisfying the anti-commutation relations 

r,r, = -r,r„ = i (4.2) 

for all i,j G [2n]. Such operators ri,...,r2n form generators for the Clifford 
algebra, which we explain in more detail in Appendix [C] 

Intuitively, these operators have a property that is very similar to being mu- 
tually unbiased: Recall from Appendix [C] that we can write for all j E [2n] 

where r° and are projectors onto the positive and negative eigenspace of 
respectively. We also have that for all i,j G [2n] with i ^ j 

Tr(F,F,) = ^Tr(F,F, + F,F,) = 0. 

Hence the positive and negative eigenspaces of such operators are similarly mu- 
tually unbiased as bases can be: from 

Tr(F,F;) = Tr(F,F]), 

we immediately see that if we would pick a vector lying in the positive or negative 
eigenspace of Tj and perform a measurement with Fj, the probability to obtain 
outcome F^ or outcome F[ must be the same. Thus, one might intuitively hope 
to obtain good uncertainty relations for measurements using such operators. We 
now show that this is indeed the case. 
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4.3.1 Preliminaries 

Before we can turn to proving our uncertainty relations, we recall a few simple 
observations from Appendix [Cj The operators Fi, . . . ,T2n have a unique (up to 
unitary) representation in terms of the matrices 




for j = 1, . . . , n. We now fix this representation. The product Tq := iTiT2 ■ ■ ■ 
is also called the pseudo-scalar. A particularly useful fact is that the collection 
of operators 

I 

r, (1 < J < 2n) 
Tjk = iTjTk {1<J <k< 2n) 

= VjVkV, {l<j <k<£<2n) 



J- 12. ..(2n) — J- 

forms an orthogonal basis for the dx d complex matrices for c? = 2", where in the 
definition of the above operators we introduce a factor of i to all with an even 
number of indices to make the whole set a basis for the Hermitian operators with 
real valued coefficients. Hence we can write every state p eH as 

P= \ n + Y.3j^^ + ll3ok^o^ + ---+3oTo\ . (4.3) 

\ i j<k J 



The real valued coefficients {gi,...,g2n) in this expansion are called "vector" 
components, the ones belonging to higher degree products of F's are "tensor" or 
"k-vector" components. 

Recall that we may think of the operators Fi, . . . , F2n as the basis vectors of 
a 2?7,-dimensional real vector space. Essentially, we can then think of the positive 
and negative eigenspace of such operators as the positive and negative direction 
of the basis vectors. We can visualize the 2n basis vectors with the help of a 2n- 
dimensional hypercube. Each basis vector determines two opposing faces of the 
hypercub^ where we can think of the two faces as corresponding to the positive 



and negative eigenspace of each operator as illustrated in Figures 4J^ and 4^ 

Finally, recall that within the Clifford algebra two vectors are orthogonal if 
and only if they anti-commute. Hence, if we transform the generating set of F^ 
linearly. 



J' 



^Note that the face of an 2n-dimensional hypercube is a 2ri — 1 dimensional hypercube itself. 
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a. 



Figure 4.1: 2n = 2-cube 




Figure 4.2: 2n = 4-cube 



the set {r'^, . . . , r'g^} satisfies the anti-commutation relations if and only if (Tjk)jk 
is an orthogonal matrix. In that case there exists a matching unitary U{T) of 7i 
which transforms the operator basis as 

r^. = U{T)TjU{T)l 

We thus have an 0(2n) symmetry of the generating set ri,...,r2n- Indeed, 
this can be extended to a S0(2n + 1) symmetry by viewing Tq as an additional 
"vector": It is not difficult to see that Fq anti-commutes with Fi, . . . ,F2„. We 
are thus free to remove one of these operators from the generating set and replace 
it with Fq to obtain a new set of generators. Evidently, we may also view these 
as basis vectors. This observation forms the basis of the following little lemma, 
which allows us to prove our uncertainty relations: 
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4.3.1. Lemma. The linear map P taking p as in Eq. (4-5) to 





(4.4) 



is positive. I.e., if p is a state, then so is P(p), and in this case '^jZodj ^ 1- 
Conversely, ifYl'^=o9j — ^> then 



is positive semidefinite, hence a state. 

Proof. First, we show that there exists a unitary U such that p' = UpU^ has 
no pseudo-scalar Fq, and only one nonzero vector component, say at Fi. Hence, 
our goal is to find the transformation U that rotates g = Yl^=o 9j^j vector 

b = ViTi, where we let £ := Yl'jZod'j — id'iY- Finding such a transformation 
for only the first 2n generators can easily be achieved, as we saw in Appendix [Cj 
The challenge is thus to include Fq. To this end we perform three individual 
operations: First, we rotate g' = Ylj=i 9j^j onto the vector b' = \fI'Vx with 
i' := Yl^idj- Second, we exchange F2 and Fq. And finally we rotate the vector 
g" = y/FVi + (70F2 onto the vector b = ViTi. 

^2n 



First, we rotate g' = "^jZidj^j onto the vector b' = yi'Ti. This is exactly 
analogous to the transformation constructed in Appendix [C] Consider the vector 
g = -^g' ■ We have = = I and thus the vector is of length 1. Let 

m = g + Ti denote the vector lying in the plane spanned by Fi and g located 

exactly halfway between Fi and g. Let m = c{g + Ti) with c = 1/ ^2(1 + gi/ \/T'). 
It is easy to verify that rh? = I and hence the vector m has length 1. To rotate 
the vector g' onto the vector b', we now need to first reflect g' around the plane 
perpendicular to m, and then around the plane perpendicular to Fi. Hence, we 
now define R = Fim. Evidently, R is unitary since RR^ = R^R = I. First of all, 
note that 

Rg' = Tiing' 

cri {\^g' + Ti) g' 
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Hence, 

Rg'R^ = VemmTi = ^'Yx = h\ 

as desired. Using the geometry of the Chfford algebra, one can see that fc- vectors 
remain /c- vectors when transformed with the rotation R (see Appendix [C]) . Simi- 
larly, it is easy to see that Tq is untouched by the operation R 

RToR^ = ToRR^ = To, 
since {Tq, Tj} = for all j G {1, . . . , 2n}. We can thus conclude that 

RpR^ = \h + Ve^i + 9oTo + J23'jk^^'^ + •••)' 
\ j<k J 

for some coefficients g'ji^ and similar for the terms involving higher products. 

Second, we exchange r2 and Tq: To this end, recall that . . . , T2n, To is also 
a generating set for the Clifford algebra. Hence, we can now view Fq itself as a 
vector with respect to the new generators. To exchange Tq and we now simply 
rotate Tq onto r2. Essentially, this corresponds to a rotation about 90 degrees in 
the plane spanned by vectors To and r2. Consider the vector = Fq + r2 located 
exactly halfway between both vectors. Let h = n/y/2 be the normalized vector. 
Let R' = r2n. A small calculation analogous to the above shows that 

R'ToR'^ = T2 and R'T2R'^ = -Fq. 

We also have that Fi, F3, . . . , F2„ are untouched by the operation: for j 7^ and 
j 7^ 2, we have that 

R'TjR ^ = Fj, 

since {Fo,Fj} = {F2,Fj} = 0. How does R' affect the fc-vectors in terms of the 
original generators Fi,...,F2„? Using the anti-commutation relations and the 
definition of Fq it is easy to convince yourself that all fc-vectors are mapped to 
/c'- vectors with k' > 2 (except for Fq itself). Hence, the coefficient of Fi remains 
untouched. We can thus conclude that 



R'RpR^R'^ = U^ + VFri + goT2 + J^^^^^r.fc 

V j<k 



for some coefficients g'j^ and so on. 

Finally, we now rotate the vector g" = VI'Ti + (70F2 onto the vector b. Note 
that {g")'^ = {i + go)I = il. Let g" = g"/V£ be the normalized vector. Our 
rotation is derived exactly analogous to the first step: Let k = g" + Ti, and let 



k = k/y2{l + \fl' jsft). Let i?" = V\k. A simple calculation analogous to the 
above shows that 

Rl'g"Fi'^ = v^Fi, 
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as desired. Again, we have Bl'TkR"'^ = for k ^ 1 and k ^ 2. Furthermore, 
/c- vectors remain /c- vectors under the actions of R" |DL03] . Summarizing, we 
obtain 

R"R'RpR^R'^li'^ = 1 1 1 + v^Fi + ^ g';iT,k + ...), 

\ j<k J 

for some coefficients g'jl. and so on. Thus, we can take U = R"R'R to arrive at a 
new, simpler fooking, state 

p' = UpU^ 



\ j<k J 



for some g'"i^, etc. 

Similarly, there exist of course orthogonal transformations Fj that take F^. to 
{—ly^'^Tk- Such transformations flip the sign of a chosen Clifford generator. In 
a similar way to the above, it is easy to see that Fj = FoFj fulfills this task: we 
rotate Fj by 90 degrees in the plane given by Fq and Tj as in the example we 
examined in Appendix [Cj Now, consider 



P" = 1{P+ F.p'F, 



for j > 1. Clearly, if p' was a state, p" is a state as well. Note that we no longer 
have terms involving Tj in the basis expansion: Note that if we flip the sign of 
precisely those terms that have an index j (i.e., they have a factor Tj in the 
definition of the operator basis), and then the coefficients cancel with those of p' . 

We now iterate this map through j = 2, 3, . . . , 2n, and we are left with a final 
state p of the form 

p=-^{l + g[T,). 

By applying U'^ = {R"R'Ry from above, we now transform p to U'^ pU = P(p), 
which is the ffist part of the lemma. 

Looking at p once more, we see that it can be positive semidefinite only if 
g[ < 1, i.e., Yl'jZod'j ^ 1- Evidently, Tr(p) = 1 and hence p is a state. 

Conversely, if Y^'^=o9j — 1; then the (Hermitian) operator A = Ylijdj^j has 
the property 

jk j 

i.e. -I < A < I, so a = ^(I + A) > 0. □ 
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4.3.2 A meta-uncertainty relation 

We now first use the above tools to prove a "meta" -uncertainty relation, from 
which we will then derive two new entropic uncertainty relations. Evidently, we 
have immediately from the above that 

4.3.2. Lemma. Let p G with dimH = 2"- be a quantum state, and consider 
K <2n + 1 anti- commuting observables Tj. Then, 

K-l 2n 2n 

j:(Tr(pr,))^<E(Tr(pr,))^ = 5:,|<l. 

j=0 j=0 j=0 

Our result is essentially a generalization of the Bloch sphere picture to higher 
dimensions: For n = 1 (rf = 2) the state is parametrized by p = |(I + giTi + 
92^2 + fl'oro) where Ti = X , r2 = Z and Tq = Y are the familiar Pauli matrices. 



Lemma 4.3.2 tells us that QQ+gi + gi < 1, i-e., the state must lie inside the Bloch 



sphere (see Figure 2.1). Our result may be of independent interest, since it is 
often hard to find conditions on the coefficients gi,g2, . . . such that p is a state. 

Notice that the gj = Tr(prj) are directly interpreted as the expectations of 
the observables Tj. Indeed, gj is precisely the bias of the ±l-variable Tj: 

Pr[r, = l\p] = 

Hence, we can interpret Lemma |4.3.2 as a form of uncertainty relation between 



the observables Tj: if one or more of the observables have a large bias (i.e., they 
are more precisely defined), this limits the bias of the other observables (i.e., they 
are closer to uniformly distributed). 

4.3.3 Entropic uncertainty relations 

It turns out that Lemma |4.3.2| has strong consequences for the Renyi and von 
Neumann entropic averages 

1 

j=0 

where Ha{Tj\p) is the Renyi entropy at a of the probability distribution arising 
from measuring the state p with observable Tj. The minima over all states p of 
such expressions can be interpreted as giving entropic uncertainty relations, as we 
shall now do for a = 2 (the collision entropy) and a = 1 (the Shannon entropy). 

4.3.3. Theorem. Let dimTi = 2", and consider K < 2n + 1 anti- commuting 



observables as defined in Eq. {4-2). Then, 

K-l 



minl^i7,(r,|p) = l-log(l + l)~l-^. 
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where H2(Tj\p) = — ^ogJ2be{o 1} Tr(r^p)^, and the minimization is taken over all 
states p. The latter holds asymptotically for large K. 

Proof. Using the fact that rj = (1+ {-ifTj) /2 we can first rewrite 



K-l 



K-l 



K 



j=0 



(1 + Tr(pr,)2) 



> 1 



2K 
\og(l 



j=Q 
1 

' K 



where the first inequahty follows from Jensen's inequality and the concavity of 
the log, and the second from Lemma 4.3.2 Cl early, the minimum is attained if 



all Qj = TT(pTj) = y j^- It follows from Lemma 4.3.1 that our inequality is tight. 

Via the Taylor expansion of log (l + ^) we obtain the asymptotic result for large 
K. □ 



For the Shannon entropy {a = 1) we obtain something even nicer: 

4.3.4. Theorem. Let dimTi = 2^, and consider K < 2n + 1 anti- commuting 
observables as defined in Eq. (4-2). Then, 

i=o 

where H(Tj\p) = — -|^| Tr(r^p) logTr(r^p), and the minimization is taken 

over all states p. 

Proof. To see this, note that by rewriting our objective as above, we observe 
that we need to minimize the expression 



K 

j=0 



subject to — 1 '^j — 0; identification tj = (Tr(prj))^. An 

elementary calculation shows that the function f{t) = H (^ ^^^ ^ is concave in 
te [0,1]: 

fit) = ^^^Hi -Vt)- HI + Vt)), 
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and so 

Since we are only interested in the sign of the second derivative, we ignore the 
(positive) factors in front of the bracket, and are done if we can show that 

= ln(l + Vi) + - ln(l 



1 + 1-y/t 

is non-positive for < i < 1. Substituting s = 1 — ^/t, which is also between 
and 1, we rewrite this as 

h{s) = - Ins - - + ln(2 - s) + 

S Zi s 



which has derivative 



= (1 - 



(2 - sy^ 



and this is clearly positive for < s < 1. In other words, h increases from its 
value at s = (where it is /i(0) = — oo) to its value at s = 1 (where it is h{\) = 0), 
so indeed h{s) < for all < s < 1. Consequently, also f"{t) < for < i < 1. 

Hence, by Jensen's inequality, the minimum is attained with one of the tj 
being 1 and the others 0, giving just the lower bound of 1 — ^. □ 



We have shown that anti-commuting Clifford observables obey the strongest 
possible uncertainty relation for the von Neumann entropy. It is interesting that 
in the process of the proof, however, we have found three uncertainty type in- 
equalities (the sum of squares bound, the bound on H2, and finally the bound 
on Hi), and all three have a different structure of attaining the limit. The sum 
of squares bound can be achieved in every direction (meaning for every tuple 
satisfying the bound we get one attaining it by multiplying all components by 
some appropriate factor), the H2 expression requires all components to be equal, 
while the Hi expression demands exactly the opposite. 



4.4 Conclusion 

We showed that merely choosing our measurements to be mutually unbiased does 
not lead to strong uncertainty relations. However, we were able to identify an- 
other property which does lead to optimal entropic uncertainty relations for two 
outcome measurements! Anti-commuting Clifford observables obey the strongest 
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possible uncertainty relation for the von Neumann entropy: if we have no uncer- 
tainty for one of the measurements, we have maximum uncertainty for all others. 
We also obtain a slightly suboptimal uncertainty relation for the collision en- 
tropy which is strong enough for all cryptographic purposes. Indeed, one could 
use our entropic uncertainty relation in the bounded quantum storage setting to 
construct, for example, 1-K oblivious transfer protocols analogous to |DFR+07j . 
Here, instead of encoding a single bit into either the computational or Hadamard 
basis, which gives us a 1-2 OT, we now encode a single bit into the positive or neg- 
ative eigenspace of each of these K operators. It is clear from the representation 
of such operators discussed earlier, that such an encoding can be done experimen- 
tally as easily as encoding a single bit into three mutually unbiased basis given 
by ax, cTy, Oz- Indeed, our construction can be seen as a direct extension of such 
an encoding: we obtain the uncertainty relation for the three MUBs previously 
proved by Sanchez jSan93t ISR95] as a special case of our analysis iox K = 'i. It 
is perhaps interesting to note that the same operators also play a prominent role 



in the setting of non-local games as discussed in Chapter 6.3.2 



Sadly, strong uncertainty relations for measurements with more than two out- 
comes remain inaccessible to us. It has been shown |Feh07j that uncertainty 
relations for more outcomes can be obtained via a coding argument from un- 
certainty relations as we construct them here. Yet, these are far from optimal. 
A natural choice would be to consider the generators of a generalized Clifford 
algebra, yet such an algebra does not have such nice symmetry properties which 
enabled us to implement operations on the vector components above. It remains 
an exciting open question whether such operators form a good generalization, or 
whether we must continue our search for new properties. 



Chapter 5 



Locking classical information 



Locking classical correlations in quantum states |DHL"'"04j is an exciting feature 
of quantum information, intricately related to entropic uncertainty relations. In 
this chapter, we will investigate whether good locking effects can be obtained 
using mutually unbiased bases. 



5.1 Introduction 

Consider a two-party protocol with one or more rounds of communication. Intu- 
itively, one would expect that in each round the amount of correlation between 
the two parties cannot increase by much more than the amount of data transmit- 
ted. For example, transmitting 2i classical bits or i qubits (and using superdense 
coding) should not increase the amount of correlation by more than 2i bits, no 
matter what the initial state of the two-party system was. This intuition is accu- 
rate when we take the classical mutual information Xc as our correlation measure, 
and require all communication to be classical. However, when quantum com- 
munication was possible at some point during the protocol, everything changes: 
there exist two-party mixed quantum states, such that transmitting just a single 
extra bit of classical communication can result in an arbitrarily large increase 
m Jc |DHL+n4j . The magnitude of this increase thereby only depends on the 
dimension of the initial mixed state. Since then similar locking effects have been 
observed, also for other correlation measures |CW05bt IHHHO05] . Such effects 
play a role in very different scenarios: they have been used to explain physical 
phenomena related to black holes |SO06j . but they are also important in crypto- 
graphic applications such as quantum key distribution |KRBM0"7] and quantum 



bit string commitment that we will encounter in Chapter [TOj We are thus inter- 
ested in determining how exactly we can obtain locking effects, and how dramatic 
they can be. 
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5.1.1 A locking protocol 

The correlation measure considered here, is the classical mutual information of a 
bipartite quantum state Pab, which is the maximum classical mutual information 
that can be obtained by local measurements Ma ® Mb on the state pab (see 
Chapter |2|): 

Ic{pab) = max I{A,B). (5.1) 

Ma®Mb 

Recall from Chapter |2] that the mutual information is defined as X(A, B) = 
H{Pa) + H{Pb) — H{Pab) where H is the Shannon entropy. Pa, -Pb, and Pab are 
the probability distributions corresponding to the individual and joint outcomes 
of measuring the state pab with Ma ® Mb- The mutual information between A 
and i? is a measure of the information that B contains about A. This measure 
of correlation is of particular relevance for quantum bit string commitments in 



Chapter [TO] Furthermore, the first locking effect was observed for this quan- 
tity in the following protocol between two parties: Alice (A) and Bob (B). Let 
B = {Bi, . . . , K^} with Bt = {\b\), . . . , be a set of m MUBs in C^. Alice 
picks an element k G {1, . . . ,d} and a basis Bt E M uniformly at random. She 
then sends to Bob, while keeping t secret. Such a protocol gives rise to the 
joint state 

^ dm 

k=l t=l 

Clearly, if Alice told her basis choice t to Bob, he could measure in the right 
basis and obtain the correct k. Alice and Bob would then share logci + logm 
bits of correlation, which is also their mutual information Xc((Tab), where ctab 
is the state obtained from pab after the announcement of t. But, how large is 
^c{pab), when Alice does not announce t to Bob? It was shown |DHL+04j that 
in dimension c? = 2", using the two MUBs given by the unitaries = I*^" and 
Ux = H'^"' applied to the computational basis we have Tc{pab) = (1/2) log (i 



(see Figure 5.1, where \xh) = Ub\x)). This means that the single bit of basis 
information Alice transmits to Bob "unlocks" (1/2) log bits: without this bit, 
the mutual information is (1/2) logrf, but with this bit it is \ogd + 1. To get a 
good locking protocol, we want to use only a small number of bases, i.e., m should 
be as small as possible, while at the same time forcing Ic{pab) to be as low as 
possible. That is, we want logm/ (log d — Jc{pab)) to be small. 

It is also known that if Alice and Bob randomly choose a large set of unitaries 
from the Haar measure to construct B, then Xc(pab) can be brought down to a 
small constant |HLSW04] . However, no explicit constructions with more than two 
bases are known that give good locking effects. Based on numerical studies for 
spaces of prime dimension 3 < d < 30, one might hope that adding a third MUB 
would strengthen the locking effect and give Tc{pab) ~ (1/3) logd lDHL+04] . 

Here, however, we show that this intuition fails us. We prove that for three 
MUBs given by I®", i/®", and /sT®'" where K = (I + ia^/V^ and dimension 
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2 ^ ^ 1/^-^2 



i.4flj-ft4-l 



Figure 5.1: A locking protocol for 2 bases. 

d = 2"' for some even integer n, we have 

Ic{pab) = ^iogd, (5.2) 

the same locking effect as with two MUBs. We also show that for any subset of 
the MUBs based on Latin squares and the MUBs in square dimensions based on 



generalized Pauli matrices |BBRV02] . we again obtain Eq. (5.2), i.e., using two 
or all \/d of them makes no difference at all! Finally, we show that for any set 
of MUBs B based on generalized Pauli matrices in any dimension, IdpAs) = 
logd — min|0)(l/|B|) ^ggg -f^('B||0)), i.e., it is enough to determine a bound on 
the entropic uncertainty relation to determine the strength of the locking effect. 
Although bounds for general MUBs still elude us, our results show that merely 
choosing the bases to be mutually unbiased is not sufficient and we must look 
elsewhere to find bases which provide good locking. 



5.1.2 Locking and uncertainty relations 

We first explain the connection between locking and entropic uncertainty rela- 
tions. In particular, we will see that for MUBs based on generalized Pauli ma- 
trices, we only need to look at such uncertainty relations to determine the exact 
strength of the locking effect. 

In order to determine how large the locking effect is for some set of mutually 
unbiased bases B, and the shared state 

|B| d 

p^^ = EEp*.^(I^)(^I ® ® (5.3) 

t=l k=l 



we must find the value of Ic{pab) or at least a good upper bound. That is, 
we must find a POVM Ma ® Mb that maximizes Eq. (5.1). Here, {pt,k} is a 
probability distribution over B x [d]. It has been shown in |DHL"'"04j that we can 
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restrict ourselves to taking Ma to be the local measurement determined by the 
projectors It is also known that we can limit ourselves to take 

the measurement Mb consisting of rank one elements only |Dav78j . 

where > and is normalized. Maximizing over Mb then corresponds to 
maximizing Bob's accessible information as defined in Chapter [2] for the ensemble 

Pk,t{^i\pk,t\^i)\ (5.4) 



max ( -^Pk,tiogpk,t+ y^^y^^ Pk,tai{^i\Pk,t\^i) log' 

Mb \ 

\ k,t i k^t 



where /i = Yjk,tPk,tPk,t and = \b\)(hW. Therefore, we have Ic{pab) = lacd^)- 
As we saw in Chapter [2| maximizing the accessible information is often a very 
hard task. Nevertheless, for our choice of MUBs, the problem will turn out to be 
quite easy in the end. 



5.2 Locking using mutually unbiased bases 
5.2.1 An example 

We now determine how well we can lock information using specific sets of mutually 
unbiased bases. We first consider a very simple example with only three MUBs 
that provides the intuition behind the remainder of our proof. The three MUBs 
we consider now are generated by the unitaries I, H and K = {1 + ia^) / y/2 when 
applied to the computational basis. For this small example, we also investigate 
the role of the prior over the bases and the encoded basis elements. It turns 
out that this does not affect the strength of the locking effect positively, i.e., we 
do not obtain a stronger locking affect using a non-uniform prior. Actually, it is 
possible to show the same for encodings in many other bases. However, we do not 
consider this case in full generality as to not obscure our main line of argument. 

5.2.1. Lemma. Let Ui = I®",[/2 = and U3 = /sT®", and take k G {0,1}" 

where n is an even integer. Let {pt} with t G [3] he a probability distribution 
over the set S = {6^1, t^2, t^s}- Suppose that pi,p2,P3 < 1/2 and let {pt,k} with 
Pt,k = Pt/d be the joint distribution over S x {0,1}'^. Consider the ensemble 
E = {pt\,Ut\k){k\U}}, then 

//, on the other hand, there exists at E [3] such that pt > 1/2, thenXacci^) > n/2. 

Proof. We first give an explicit measurement strategy and then prove a match- 
ing upper bound on Tacc- Consider the Bell basis vectors iFoo) = (|00) + 1 11))/ V2, 
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iFoi) = (|00) - \U))/V2, iFio) = (|01) + m)/V2, and \Tn) = (|01) - |10))/v^. 
Note that we can write for the computational basis 



|00) = 


-^(|roo) + |roi)), 


|01) = 


-^(|rio) + |rn)), 


|10) = 


^(irio) - irn)), 


111) = 


-^(iroo) - iroi)). 



The crucial fact to note is that if we fix some /ci, /c2, then there exist exactly two 
Bell basis vectors iTj^jj) such that KFj^jjI/ci, ^2)^ = 1/2. For the remaining two 
basis vectors the inner product with \ki,k2) will be zero. A simple calculation 
shows that we can express the two-qubit basis states of the other two mutually 
unbiased bases analogously: for each two qubit basis state there are exactly two 
Bell basis vectors such that the inner product is zero and for the other two the 
inner product squared is 1/2. 

We now take the measurement given by {|rj)(rj|} with \Ti) = iFj^jj) (g) 
. . . iTj^^^j^) for the binary expansion of z = ZiZ2 ■ ■ - in- Fix a. k = ^1^2 ■ ■ - kn. 
By the above argument, there exist exactly 2"/^ stri ngs i G {0,1}" such that 



(Fjlfc)!^ = 1/2"/^. Putting everything together, Eq. (5.4) now gives us for any 
prior distribution {pt,k} that 

- 5^(r,|/i|r,) iog(r,|/i|r,) - ^ < j,,,(^). (5.5) 

i 

For our particular distribution we have fi = I/d and thus 

Ti 

^<Iacci£). 

We now prove a matching upper bound that shows that our measurement is 



optimal. For our distribution, we can rewrite Eq. (5.4) for the POVM given by 
to 

lacciS) = max(logrf + 5^^5^Pi|($,|f/<|A;)|2log|($,|f/i|A;)p 

\ i k,t 

= max^logd-^^ J]p,/f(i3,||<l>,))j , 
for the bases Bt = {Ut\k) \ k E {0, 1}"}. 
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It follows from Corollary |4.2.2 that Vi G {0, 1}" and Pi,P2,P3 < 1/2 

{l/2-p,)[HiB2m)) + HiBsm))] + 
il/2-p2)[HiBi\\^,)) + HiBs\\^,))] + 
il/2-ps)[HiB,\\^,)) + HiB^im)] > n/2, 

where we used the fact that Pi + P2 + Ps = 1- Reordering the terms we now 
get Yl't=iPtH{Bt\\^i)) > n/2. Putting things together and using the fact that 
^ • tti = d, we obtain 

from which the result follows. 

If, on the other hand, there exists a t G [3] such that pt > 1/2, then by 
measuring in the basis Bt we obtain Tacd^) > Ptn > n/2, since the entropy will 
be for basis Bt and we have J^tPt ~ ^- '-' 

Above, we have only considered a non-uniform prior over the set of bases. 
In Chapter |3| we observed that when we want to guess the XOR of a string of 
length 2 encoded in one (unknown to us) of these three bases, the uniform prior 
on the strings is not the one that gives the smallest probability of success. This 
might lead one to think that a similar phenomenon could be observed in the 
present setting, i.e., that one might obtain better locking with three basis for a 
non-uniform prior on the strings. In what follows, however, we show that this is 
not the case. 

Let Pt = J2kPk,t be the marginal distribution on the basis, then the difference 
in Bob's knowledge between receiving only the quantum state and receiving the 
quantum state and the basis information, where we will ignore the basis infor- 
mation itself, is given by 



A{pk,t) = H{pk,t) - Tacc{£) - H{p 



Consider the post-measurement state u = ^•(rj|/x|rj)|rj)(rj|. Using Eq. (5.5) 
we obtain 

A{pk,t) < H{pk,t) - S{u) + n/2 - H{pt), (5.6) 
where S is the von Neumann entropy. Consider the state 



d 3 

2, 



k=l t=l 

for which we have that 

Sip,2) = H{pk,t) < 5(pi) + S{p2) 

= H{pt) + S{p) 
<H{pt) + S{v). 
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Using Eq. (5.6) and the previous equation we get 

A(pfc,t) < n/2, 

for any prior distribution. This bound is saturated by the uniform prior and 
therefore we conclude that the uniform prior results in the largest gap possible. 

5.2.2 MUBs from generalized Pauli matrices 

We now consider MUBs based on the generalized Pauli matrices Xd and Zd as 



described in Chapter 2.4.2 We consider a uniform prior over the elements of 
each basis and the set of bases. Choosing a non-uniform prior does not lead to a 
better locking effect. 

5.2.2. Lemma. Let M = {Bi,...,Bm} be any set of MUBs constructed on the 
basis of generalized Pauli matrices in a Hilbert space of prime power dimension 
d = p^ . Consider the ensemble £ = {;^, 1^1) (^ll}- Then 



lacciS) = logrf- -min V H{Bt\m. 

m U;i\ ' ^ 



Btm 



Proof. We can rewrite Eq. (5.4) for a POVM Mb of the form {a;j|$j)($j|} as 



= max(logd + 5^£^5^|(<|.,|6l)plog|($.|6l)|M 

^ \ i k,t ) 

= max|^logd-^|^p,i/(^,||$,))j. 

For convenience, we split up the index i into i = a,b with a = ai, . . . , cat and 
b = hi, . . . , bN, where ai,be E {0, . . . ,p — 1} in the following. 

We first show that applying generalized Pauli matrices to the basis vectors of 
a MUB merely permutes those vectors. 

1. Claim. Let Bt = {\b\), . . . , |6^)} be a basis based on generalized Pauli matrices 
(Chapter 2.4.2) with d = p^ . Then \/a,b G {0, . . . ,p — 1}^,VA; G [d] we have that 



3k' G [d], such that \bi,) = X^/Z',^ ® . . . ® |61). 

Proof. Let 7^* for i G {0,1,2,3} denote the generalized Pauli's = Ip, 

r/ = Xp, r/ = Zp, and = X^Z^. Note that X^Z; = cu™Z;X;, where 

u = e^-'^lv. Furthermore, define T;*'^''^ = ® 7^^ ® ij^to be the Pauh 

that there exist 



operator applied to the x-th qupit. Recall from Section 2.4.2 
sets of Pauli operators Ct such that the basis Bt is the unique simultaneous 
eigenbasis of the set of operators in Ct, i.e., for all k G [rf] and f,g E [N], 
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Ibl) e Bt and c^jg G Cf, we have Cjg|6^) = )\\j^g\h\) for some value ^kj,g- Note 
that any vector \v) that satisfies this equation is proportional to a vector in Bt- 
To prove that any application of one of the generalized Paulis merely permutes 
the vectors in Bt is therefore equivalent to proving thatr;'(")|6*) are eigenvectors 
of Cj^g for any f,g E [k] and i G {1,3}. This can be seen as follows: Note that 

4,. = (S)n=i (Tp^'^-y^ (r/'^-y" for / = (/i, . . . , /;v) and ^? = (g,, ...,g^) with 
In, ^ {0, ■ ■ ■ ,p — 1} |BBRV02"] . A calculation then shows that 

where Tf^^g^^i = tu^^ for i = 1 and Tf^^g^^i = uj~f'' for z = 3. Thus 7^*'^^^|6|.) is an 
eigenvector of c^^ for all t, /, g and i, which proves our claim. □ 

Suppose we are given lip) that minimizes X^BtsT -^("^^l l"^))- ^^'^ then 
construct a full POVM with elements by taking {^|$af,) ($af,|} with \^ab) = 
(X^'Z^^' ® . . . ® X^^'Z^/yiiP). However, it follows from our claim above that 
Va,6,A;,3fc' such that \{^ab\bi)\^ = Mbi,)\^ and thus H{Bt\\tp)) = H{Bt\\^ab)) 
from which the result follows. □ 



Determining the strength of the locking effects for such MUBs is thus equiv- 
alent to proving bounds on entropic uncertainty relations. We thus obtain as 
a corollary of Theorem 4.2.3| and Lemma |5.2.2 that, for dimensions which are 



the square of a prime power (i.e. d = p ), using any product MUBs based on 
generalized Paulis does not give us any better locking than just using 2 MUBs. 

5.2.3. Corollary. Let § = {Si,...,Sm} with m > 2 be any set of MUBs 
constructed on the basis of generalized Pauli matrices in a Hilhert space of prime 
(power) dimension s = p^ . Define Ut as the unitary that transforms the computa- 
tional basis into the t-th MUB, i.e., St = {f^|l), ■ ■ ■ ,Ut\s)}. LetM = {Bi, . . . , Bm} 
be the set of product MUBs with Bt = {Ut <S) f^t*|l), ■ ■ ■ ,Ut® Ul\d)} in dimension 
d = s"^ . Consider the ensemble £ = {-r-, \bl.){b\\}. Then 



logd 



Proof. The claim follows from Theorem 4.2.3 and the proof of Lemma 5.2.2 by 



constructing a similar measurement formed from vectors = Kaib^ 



with d = a^a^ and b 



proof of Lemma 



5.2.2 



6^6^, where 
and Kab 



and b^ , 6^ are defined like a and b in the 



from above. 



□ 



The simple example we considered above is in fact a special case of Corol- 
lary 5.2.3[ It shows that if the vector that minimizes the sum of entropies has 
certain symmetries, the resulting POVM can even be much simpler. For example, 
the Bell states are vectors which such symmetries. 
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5.2.3 MUBs from Latin squares 

At first glance, one might think that maybe the product MUBs based on gener- 
ahzed Pauhs are not well suited for locking just because of their product form. 
Perhaps MUBs with entangled basis vectors do not exhibit this problem? Let's 
examine how well MUBs based on Latin squares can lock classical information in 
a quantum state. All such MUBs are highly entangled, with the exception of the 
two extra MUBs based on non-Latin squares. Surprisingly, it turns out, however, 
that any set of at least two MUBs based on Latin squares, does equally well at 
locking as using just 2 such MUBs. Thus such MUBs perform equally "badly", 
i.e., we cannot improve the strength of the locking effect by using more MUBs of 
this type. 

5.2.4. Lemma. Let B = {Si, . . . , with m > 2 be any set of MUBs in a 
Hilbert space of dimension d = s"^ constructed on the basis of Latin squares. 
Consider the ensemble £ = Then 



Proof. Note that we can again rewrite Iacc{£) as in the proof of Lemma 5.2.2 
Consider the simple measurement in the computational basis {\i,j){i,j\ | 2,j G 
[s]}. The result then follows by the same argument as in Lemma 4.2.4 □ 



Intuitively, our measurement outputs one sub-square of the Latin square used 
to construct the MUBs as depicted in Figure 5.2.3 As we saw in the construction 
of MUBs based on Latin squares in Chapter 2.4.1 each entry "occurs" in exactly 
Vd = s MUBs. 
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Figure 5.2: Measurement for |1,1). 



5.3 Conclusion 

We have shown tight bounds on locking for specific sets of mutually unbiased 
bases. Surprisingly, it turns out that using more mutually unbiased basis does not 
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always lead to a better locking effect. It is interesting to consider what may make 



these bases so special. The example of three MUBs considered in Lemma 5.2.1 



may provide a clue. These three bases are given by the common eigenbases of 
{cr^ ® cr-x, 0"^ (8> I, I ® CTx}, Wz ® o-zi CTz (Jz} and {ay ® cr^, ® I, I ® CTy} 

respectively jBBRV02| . However, (8> cTx, <^z ® o"^ and ay ® ay commute and 
thus also share a common eigenbasis, namely the Bell basis. This is exactly 
the basis we will use as our measurement. For all MUBs based on generalized 
Pauli matrices, the MUBs in prime power dimensions are given as the common 
eigenbasis of similar sets consisting of strings of Paulis. It would be interesting 
to determine the strength of the locking effect on the basis of the commutation 
relations of elements of different sets. Furthermore, perhaps it is possible to 
obtain good locking from a subset of such MUBs where none of the elements 
from different sets commute. 

It is also worth noting that the numerical results of [DHL"*" 04] indicate that at 
least in dimension p using more than three bases does indeed lead to a stronger 
locking effect. It would be interesting to know, whether the strength of the locking 
effect depends not only on the number of bases, but also on the dimension of the 
system in question. 

Whereas general bounds still elude us, we have shown that merely choosing 
mutually unbiased bases is not sufficient to obtain good locking effects. We thus 
have to look for different properties. Sadly, whereas we were able to obtain good 
uncertainty relations in Chapter 4^, the same approach does not work here: To 
obtain good locking we must not only find good uncertainty relations, but also 
find a way to encode many bits using only a small number of encodings. 



Part III 
Entanglement 
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Introduction 



Entanglement is possibly the most intriguing element of quantum theory. It plays 
a crucial role in quantum algorithms, quantum cryptography and the understand- 
ing of quantum mechanics itself. It enables us to perform quantum teleportation, 
as well as superdense coding |NC00j . In this part, we investigate one particular 
aspect of quantum entanglement: the violation of Bell-inequalities, and their im- 
plications for classical protocols. But first, let's take a brief look at the history 
of entanglement, and introduce the essential ingredients we need later. 

6.1 Introduction 

In 1935, Einstein, Podolsky and Rosen (EPR) identified one of the striking con- 
sequences of what latter became known as entanglement. In their seminal arti- 
cle |EPR35j " Can Quantum Mechanical Description of Physical Reality Be Con- 
sidered Complete?" the authors define "elements of reality" as follows: 

//, without in any way disturbing a system, we can predict with cer- 
tainty (i.e. with probability equal to unity) the value of a physical quan- 
tity, then there exists an element of physical reality corresponding to 
this physical quantity. 

EPR call a theory that satisfies this condition complete. They put forward the 
now famous EPR-Paradox, here stated informally using discrete variables as put 
forward by Bohm |Per93] . EPR assume that if we have a state shared between 
two spatially separated systems, Alice and Bob, that do not interact at the time 
of a measurement, 

no real change can take place in the second system as a consequence 
of anything that may be done to the first system. 

That means that Alice and Bob cannot use the shared state itself to transmit 
information. We will also refer to this as the no-signaling condition. Now consider 
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the shared state 

Alice Bob Alice Bob Alice Bob Alice Bob 

Suppose that we measure Ahce's system in the computational basis to obtain 
outcome ca- Note that we can now predict the outcome of a measurement of 
Bob's system in the computational basis with certainty: cb = ca, without having 
disturbed Bob's system in any way. Thus cb is an "element of physical reality". 
However, we might as well have measured Alice's system in the Hadamard basis 
to obtain outcome Ha- Likewise, we can now predict with certainty the out- 
come of measuring Bob's system in the Hadamard basis, Hb = hA, again without 
causing any disturbance to the second system. Thus should also be an "el- 
ement of physical reality". But as we saw in Chapter [4], quantum mechanics 
forbids us to assign exact values to both cb and Hb simultaneously, as measure- 
ments in the computational and Hadamard basis are non- commutative. Indeed, 



in Chapter 4.2, we saw that these two measurements give the strongest entropic 



uncertainty relation for two measurements. EPR thus conclude 

that the quantum mechanical description of reality given by the wave 
function is not complete. 

EPR's article spurred a flurry of discussion that continues up to the present day. 
Shortly after the publication of their article, Schrodinger published two papers 
in which he coined the term entanglement (German: Verschrankung) |Sch35b 



ISch35a] and investigated this phenomenon which he described as "not one, but 
rather the characteristic trait of quantum mechanics, the one that enforces its en- 
tire departure from classical lines of thought" |Sch35b] . One point of discussion 
in the ensuing years was whether the fact that quantum mechanics is not com- 
plete, means that there might exist a more detailed description of nature which 
is complete. Even though, these more detailed descriptions also called "hidden 
variables" had remained inaccessible to us so far: a better theory and better tech- 
nology might enable us to learn them. Thus quantum mechanical observations 
would merely appear to be probabihstic in the absence of our knowledge of such 
hidden variables. 



6.1.1 Bell's inequality 

This idea was put to rest by Bell |Bel65j in 1964, when he proposed conditions 
that any classical theory, i.e. any theory based on local hidden variables, has to 
satisfy, and which can be verified experimentally. These conditions are known 
as Bell inequalities. Intuitively, Bell inequalities measure the strength of non- 
local correlations attainable in any classical theory. Non-local correlations arise 
as the result of measurements performed on a quantum system shared between 
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two spatially separated parties. Imagine two parties, Alice and Bob, who are 
given access to a shared quantum state but cannot communicate. In the 
simplest case, each of them is able to perform one of two possible measurements. 
Every measurement has two possible outcomes labeled ±1. Alice and Bob now 
measure using an independently chosen measurement setting and record their 
outcomes. In order to obtain an accurate estimate for the correlation between 
their measurement settings and the measurement outcomes, they perform this 
experiment independently many times using an identically prepared state in 
each round. 



'■J A 





Figure 6.1: Alice and Bob measure many copies of 

Both classical and quantum theories impose limits on the strength of non-local 
correlations. In particular, both should not violate the non-signaling condition 
of special relativity as put forward by EPR above. That is, the local choice of 
the measurement setting does not allow Alice and Bob to transmit information. 
Limits on the strength of correlations which are possible in the framework of any 
classical theory are the Bell inequalities. The best known Bell inequality is the 
Clauser, Horne, Shimony and Holt (CHSH) inequality |CHSH69] 

{CHSH), = l(XiFi) + (XiFs) + - (X2F2)| < 2, (6.2) 

where Xi,X2 and 1^,12 are the observables representing the measurement set- 
tings of Alice and Bob respectively and we use (XiYj) = (\l/|Xj Yj |\I') to denote 
the mean value of Xi and Yj. Quantum mechanics allows for a violation of the 
CHSH inequality, and is thus indeed non-classical: If we take the shared state 
1^) = (|00) + \n))/V2 and let X, = a,, X2 = a„ Yi = {a, + a,)/2, and 
^2 = i<^x — o"z)/2 we obtain 

{CHSH), = l(XiFi) + (XiFs) + {X2Y,) - {X2Y2)\ = 2^2. 

Most importantly, this violation can be experimentally verified allowing us to test 
the validity of the theory. The first such tests were performed by Clauser |Cla76] 
and Aspect, Dalibard, Grangier, and Roger |AGR82l IADR82] . Over the years 
these tests have been refined considerably, ruling out many loopholes present in 
the initial experiments such as for example detector inefficiency [RKM+Olj . Yet, 
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no conclusive test has been achieved so far. Unfortunately, such experimental 
concerns are outside the scope of this thesis, and we merely point to an overview 
of such issues |Asp99| . 



6.1.2 Tsirelson's bound 

Curiously, even quantum mechanics itself still limits the strength of non-local 
correlations. Tsirelson's bound |Tsi80j says that for quantum mechanics 

and thus the above measurements are optimal. We provide a simple proof of this 
fact in Chapter [7} It is interesting to consider what would happen if quantum 
mechanics allowed for more powerful non-local correlations. To this end, it is 



convenient to rewrite the CHSH inequality from Eq. (6.2) in the form 



Pr[a^ Q)by = x-y\<^. 

x,ye{0,l} 

Here, x e {0, 1} and y G {0, 1} denote the choice of Alice's and Bob's measure- 
ment, ttx e {0, 1} and by G {0, 1} the respective binary outcomes, and © addition 



modulo 2 (see Section 6.2.3|for details). In this form, quantum mechanics allows 



a violation up to the maximal value of 2 + \/2. Since special relativity would even 
allow a violation of Tsirelson's bound, Popescu and Rohrlich |PR94[ IPR96[ IPR97j 
raised the question why nature is not more 'non-local' ? That is, why does quan- 
tum mechanics not allow for a stronger violation of the CHSH inequality up to 
the maximal value of 4? To gain more insight into this question, they constructed 
a toy-theory based on non-local boxes. Each such box takes inputs x,y E {0, 1} 
from Alice and Bob respectively and always outputs measurement outcomes a^fiy 
such that X ■ y = ax®hy. Alice and Bob still cannot use this box to transmit any 
information. However, since for all x and ?/, Pr[ 

Ojx (B by — X ■ y] = 1, the above 
sum equals 4 and thus non-local boxes lead to a maximum violation of the CHSH 
inequality. 

Van Dam |vD05[ IvDOOj has shown that having access to such non-local boxes 
allows Alice and Bob to perform any kind of distributed computation by trans- 
mitting only a single bit of information. This is even true for slightly less perfect 
boxes achieving weaker correlations |BBL"'"06] . In |BCU"'"06] . we showed that 
given any non-local boxes, Alice and Bob could perform bit commitment and 
oblivious transfer, which is otherwise known to be impossible. Thus, such cryp- 
tographic principles are in principle compatible with the theory of non-signaling: 
non-signaling itself does not prevent us from implementing them. 

Looking back to the uncertainty relations in Chapter [4], which rest at the heart 
of the EPR paradox, we might suspect that the violation of the CHSH inequality 
likewise depends on the commutation relations between the local measurements 
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of Alice and Bob. Indeed, it has been shown by Landau |Lan87j . and Khalfin and 
Tsirelson |KT87] . there exists a state \^) such that 

KXiFi) + {X^Y^) + (X2ri) - (XsFs)! = 2^1 + 411 [X^ X^][Y^ ,Y§] ||, 

for any X^ = - X}, X2 = X^ - X\ and Y^ = Y^ - Y^\ Y2 = Y^ - where 
we use the superscripts '0' and '1' to denote the projectors onto the positive and 
negative eigenspace respectively. Thus, given any observables Xi,X2 and Yi,Y2, 
the CHSH inequahty is violated if and only if [X?, X^] [y^, ^2°] ^ 0. 



6.2 Setting the stage 
6.2.1 Entangled states 



The state given in Eq. ( |6.1 ) is just one possible example of an entangled state. 



Recall from Chapter [2] that if G is a pure state, we say that is 
separable if and only if there exist states l"^^) G Ti.^ and I^E'^) G Ti.^ such that 
= ® l^'^)- A separable pure state is also called a product state. A state 
that is not separable is called entangled. For mixed states the definition is slightly 
more subtle. Let p G S{n^ ® H^) be a mixed state. Then p is called a product 
state if there exist p^ G S{n^) and p^ G S{n^) such that p = ® p^. The 
state p is called separable, if there exists an ensemble S = {pj, such 
that l^j) = 1^/) (g) l^f ) with 1^/) G H"^ and ) G for all j, such that 

j j 

Intuitively, if p is separable then p corresponds to a mixture of separable pure 
states according to a joint probability distribution {pj}, a purely classical form of 
correlation. Given a description of a mixed state p it is an NP-hard problem to 
decide whether p is separable |Gur03] . However, many criteria and approximation 
algorithms have been proposed |DPS02l IDPS041 IDPS051 UTOGl UTCE04] . It is an 
interesting question to determine the maximal violation of a given Bell-inequality 
for a fixed state p |LD07j . Here, we only concern ourselves with maximal viola- 
tions of Bell inequalities, and refer to |Ioa07] for an overview of the separability 
problem. Generally, the maximal violation is obtained by using the maximally 
entangled state. However, there are cases for which the maximal violation is 
achieved by a non maximally entangled state |CGL"'"02] . Note that we can never 
observe a Bell inequality violation for a separable state: it is no more than a 
classical mixture of separable pure states. On the other hand, any two-qubit pure 
state that is entangled violates the CHSH inequality |Gis91] . However, not all 
entangled mixed states violate the CHSH inequahty! A counterexample was given 
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by Werner |Wer81j with the so-called Werner-state 



Pw =P 




Psym + (1 - p) 



(P-d 



2 



Pr 



asymt 



where Psym and Pasym are projectors onto the symmetric and the anti-symmetric 
subspace respectively. For p > 1/2 this state is separable, but it is entangled 
for p < 1/2. Yet, the CHSH inequality is not violated. A lot of work has been 
done to quantify the amount of entanglement in quantum states, and we refer 
to |Ter99t lEisOll IChrOSj for an overview. 

6.2.2 Other Bell inequalities 

The CHSH inequality we encountered above is by no means the only Bell in- 
equality. Recall that non-local correlations arise as the result of measurements 
performed on a quantum system shared between two spatially separated parties. 
Let X and y be the variables corresponding to Alice and Bob's choice of mea- 
surement. Let a and b denote the corresponding outcome^ Let Pr[a,6|x,?/] 
be the probability of obtaining outcomes a, h given settings x, y. What values 
are allowed for Pr[a, y]? Clearly, we want that for all x,y,a,b we have that 
Pr[a, ?/] > and Xla t -P^l*^' ^1^' ~ From the no-signaling condition we 
furthermore obtain that the marginals obey Pr[a|x] = Pr[a|x, y] = Pr[a, b\x, y] 
and likewise for Pr[6|?/], i.e. the probability of Alice's measurement outcome is in- 
dependent of Bob's choice of measurement setting, and vice versa. For n players, 
who each perform one of N measurements with k possible outcomes, we have 
(Nk)"' such probabilities to assign, giving us a {Nk)^ dimensional vector. To 
find all Bell inequalities, we now look for inequalities that bound the classically 
accessible region (a convex polytope) for such assignments. It is clear that we 
can find a huge number of such inequalities. Of course, often the most interesting 
inequalities are the ones that are satisfied only classically, but where we can find a 
better quantum strategy. Much work has been done to identify such inequahties, 
and we refer to |WW01b] for an excellent overview. In the following chapters, we 
are interested in the following related question: Given an inequality, what is the 
optimal quantum measurement strategy that maximizes the inequality? 

6.2.3 Non-local games 

It is often convenient to view Bell experiments as a game between two, or more, 
distant players, who cooperate against a special party. We call this special party 
the verifier. In a two player game with players Alice and Bob, the verifier picks 
two questions, say si and S2, and hands them to Alice and Bob respectively, 
who now need to decide answers Oi and 02. To this end, they may agree on any 

^For simplicity, we assume that the set of possible outcomes is the same for each setting. 
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strategy beforehand, but can no longer communicate once the game starts. The 
verifier then decides according to a fixed set of pubhc rules, whether Alice and 
Bob win by giving answers ai,a2 to questions si,S2. In a quantum game, Alice 
and Bob may perform measurements on a shared entangled state to determine 
their answers. We can thus think of the questions as measurement settings and 
the answers as measurement outcomes. 

More formally, we consider games among players Pi, ... , Pn- Let Si, ... , Sn 
and . . . , be finite sets corresponding to the possible questions and answers 
respectively. Let vr be a probability distribution on Si x ... x Sn, and let V 
be a predicate on x . . . x x Si x . . . x S^. Then G = GCV,^) is the 
following A^-player cooperative game: A set of questions {si, . . . , sjy) & Si x . . . x 
Sn is chosen at random according to the probability distribution tt. Player Pj 
receives question sj, and then responds with answer aj G Aj. The players win 
if and only if V{ai, . . . , gn, Si, . . . , sa?) = 1. We write V{ai, . . . ,aN\si, . . . , sn) = 
V{ai, . . . ,aN, Si, . . . , Sn) to emphasize the fact that ai, . . . ,aN are the answers 
given questions Si, . . . ,sn- 




Figure 6.2: Multiplayer non-local games. 



The value of the game uj{G) is the probability that the players win the game, 
maximized over all possible strategies. We use uJc{G) and ujg{G) to differentiate 
between the value of the game in the classical and quantum case respectively. 
Classically, u!c{G) can always be attained by a deterministic strategy |CHTW04a] . 
We can thus write 

uJciG) = max n{si, . . . , SN)V{fi{si), . . . , fNisN)\si, . . . , Sn), (6.3) 

S1,...,SJV 

where the maximization is taken over all functions fj : Sj — > Aj that determine 
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answers aj = fj{sj). 

Quantumly, the strategy of the players consists of their choice of measurements 
and shared entangled state. Let denote the players' choice of state, and let 
Xlj = {Xs^'^^ I aj G Aj} denote the POVM of player Pj for question Sj G Sj. 
Here, we always assume that the underlying Hilbert space is finite-dimensional. 
The value of the quantum game is then 

= ^ max J2 rc{s,, . . . , s^) Yl (^l^^^''' ® • • • ® ^.T^^' 1^), (6.4) 

si,...,sjv ai,...,ajv 

where the maximization is taken over all POVMS Xlj for all j G [N] and Sj G Sj. 
In the following, we say that a set of measurement operators achieves p, if 

Of particular relevance in the next chapters is a special class of two-player games 
known as XOR-games |CHTW04aj : Here, N = 2 and we assume that Ai = A2 = 
{0, 1}. The two players Pi (Alice) and P2 (Bob) each have only two possible 
measurement outcomes. Furthermore, the winning condition only depends on 
the XOR of answers ai and 02 and thus we write \^(c|si, S2) with c = ai © 02- It 
can be shown |CHTW04aj that the optimal POVM in this case consists only of 
projectors. We can thus write xl]^ and as observables with two eigenvalues: 
= X°;'^^ -X.V^l and xS = X^^^ -Xl''^' where Si G Si and S2 G ^s- A small 
calculation using the fact that X^^'^' -|-Xl^ = I and Xsf^^ -l-Xlj^^' = I shows that 
we can rewrite the optimal value of a quantum XOR-game as 

uJ,{G) = (6.5) 
i5^7r(.i,.2) nc|.i,.2)(l + (-l)'=(v&|XW®X[J|vI/)). 



max 

xW.xPi 2 ^ , 

si,S2 cG{0,1} 



(6.6) 



From the above, we can see that XOR-games correspond to correlation inequali- 
ties with two-outcome measurements. We will see in Chapter [7] that this reformu- 
lation enables us to determine the optimal measurements for such XOR-games in 
a very simple manner. Indeed, the CHSH inequality can be rephrased as a simple 
quantum XOR-game. Here, Alice and Bob win if and only if given questions si, S2 
they return answers ai, 02 such that Si ■ S2 = ai © a2, i.e. we have K(c|si, S2) = 1 



if and only if Si ■ S2 = c. Recalling Eq. (6.2) we can write 



.(CTS//) = i(l+<^) 



2 



from which we obtain ujq{CHSH) = 1/2 + l/(2v^) vs. lu^{CHSH) = 3/4. 
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6.3 Observations 

In the following chapters, we are concerned with finding the optimal quantum 
measurement strategies for Bell inequalities. To this end, we first make a few 
simple observations that help us understand the structural properties of our prob- 
lem. In particular, this also enables us to understand the relation between Bell 



inequalities and the problem of post-measurement information in Chapter |6.4 
We then present a theorem by Tsirelson |Tsi80t ITsi87] that plays a crucial role 
in the subsequent chapters. 

6.3.1 Simple structural observations 

Suppose we are given a set of measurements for Alice and Bob and a shared state 
p. Can we reduce the dimension of Alice and Bob's measurements operators and 
the thereby amount of entanglement they need? As we saw in Chapter [2l we can 
often simplify our problem by identifying its classical and quantum part. Indeed, 
this is also the case here. 

6.3.1. Lemma. Let n = n^®n^ and let A = {X^ G M{n^)} and B = {F/ G 
B(?-^'^)} be the set of Alice and Bob's measurement operators respectively. Let 
p G 5(7i) be the state shared by Alice and Bob. Suppose that for such operators 
we have 

q= J2 ^(^'^) E Via,b\s,t)Tr{X:0Y,''p). 

se5,teT aeA,beB 

Then there exist measurement operators A = {X^} and B = {Y^^} and a state p 
such 

q< J2 ^(^'^) E Via,b\s,t)TT{X:^Y,'p). 

sG5,teT aeA,beB 

and the C*-algebra generated by A and B is simple. 

Proof. Let =2/ = {A) and = (B). If =2/ and ^ are simple, we are done. If not. 



we know from Lemma B.4.1 and Lemma B.4.4 that there exists a decomposition 
n^®n^ = @^k'^f®n^. Consider Tr((M^®M^)p), where M^®M^ G .s^®^. 
It follows from the above that ® = 0^fe(n/ ® nf ® M^{Uf ® Hf ), 
where and Ilf are projectors onto Hf and Hj^ respectively. Let p = 0^.^(11^(8) 
nf)p(n/®nf). Clearly, 

Tr((M^®M^)p) = J]Tr((n/®nf)M^®M^(n/®nf)p) 

jk 

= Tr{{M^ ® M^)p). 

The statement now follows immediately by convexity: Alice and Bob can now 
measure p using {11^ ® Ilf} and record the classical outcomes j,k. The new 
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measurements are then A^ - = 11^ X"!!^ and B^j^ = Ilf l^^Ilf on state pjk = 
{Uf (g) nf )p(n/ ® nf)/Tr((n/ ® nf )p). By construction, Jj = {Al^} and 
= {-Bf fc} are simple. 

Let Qjk denote the probabihty that we obtain outcomes j, k, and let 
rjk= J2 ^(^'^) E V{a,b\s,t)TT{Al^(^Blp,k). 

Then q = J2jk1jk^jk — ^^^jk^jk- Let u,v be such that r^^v = maxjfcrjfc. Hence, 
we can skip the initial measurement and instead use measurements X" = yl"^, 
= B^^^ and state p = pu,v n 

It also follows immediately from the above proof that 

6.3.2. Corollary, dim(p) < dim(7^^^) dim(7^f ) 

We can thus assume without loss of generality, that the algebra generated by 
Alice and Bob's optimal measurements is always simple. We also immediately 
see why we can simulate the quantum measurement classically if Alice or Bob's 
measurements commute locally. Indeed, the above proof tells us how to construct 
the appropriate classical strategy: 

6.3.3. Corollary. Let K = 7i^®n^ and let A = {X^ e M{n^)} and B = 
{y/ G M(Ti.^)} be the set of Alice and Bob's measurement operators respectively. 
Let p G S{7i) be the state shared by Alice and Bob. Let p be the value of the 
non-local game achieved using these measurements. Suppose that for all s, s' ,and 
a, a' we have that [X;,X;/] = (or for all t,t', b,b' [F/, ^/l = Oj. Then there 
exists a classical strategy for Alice and Bob that achieves p. 

Proof. Our conditions imply that either or ^ is abelian. Suppose wlog that 
^ is abelian. Hence, by the above proof we have max^ dim(7i^) = 1. Again, 
Alice and Bob perform the measurements determined by and Hf and record 
their outcomes j, k. Since dim(7i^) = 1, Alice's post-measurement state is in fact 
classical, and we have no further entanglement between Alice and Bob. □ 

To violate a Bell inequality, Alice and Bob must thus use measurements which 
do not commute locally. However, since Alice and Bob are spatially separated, we 
can write Alice and Bob's measurement operators as X = X (g) I and Y = I ^ Y 
respectively as for any p we can write Tr(p(X ® Y)) = Tr(p(X ® I)(I ® Y)). 
Thus [X, y] = 0. Thus from a bipartite structure we obtain certain commutation 
relations. How about the converse? As it turns out, in any finite-dimensional C*- 
algebrsj^ these two notions are equivalent: From commutation we immediately 
obtain a bipartite structure! We encounter this well-known, rather beautiful 
observation in Appendix [B} 

^or indeed any Type-I von Neumann algebra 
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6.3.2 Vectorizing measurements 

In Chapter [7} we show how to obtain the optimal measurements for any bipartite 
correlation inequality. At first sight, this may appear to be a daunting problem: 



We must simultaneously maximize Eq. (6.5) over the state p as well as measure- 



ment operators of the form X ®Y , a, problem which is clearly not convex. Yet, 
the following brilliant observation by Tsirelson |Tsi80l ITsi87] greatly simplifies 
our problem. 

6.3.4. Theorem (Tsirelson). Let Xi,...,X„ and Yi,...,Ym be observables 
with eigenvalues in the interval [—1, 1]. Then for any state 1^^) G TC"^ ® and 
for all s e [n], t e [m], there exist real unit vectors xi, . . . , Xn,yi, ■ ■ ■ ,ym & j^n+m 
such that 

where Xg-yt is the standard inner product. Conversely, let Xg, yt G be real unit 
vectors. Let |\E') G be any maximally entangled state where dim(7i^) = 

dim(7i^) = 21-^/^-1 . Then for all s G [n], t G [m] there exist observables Xg on Ti^ 
and Yt on Ti^ with eigenvalues in {—1,1} such that 

Xs-yt = {^\Xs®Yt\^). 

In fact, by limiting ourselves onto the space spanned by the vectors Xi, . . . , x„ 
or yi, . . . ,ym, we could further decrease the dimension of the vectors to iV = 
min{n, m} |Tsi87j . The result was proven by Tsirelson in a more general form for 
any finite-dimensional C*-algebra. Here, we do not consider this more abstract 
argument, but instead simply sketch how to obtain the vectors and state how to 
find the corresponding measurement operators in turn |Tsi93j . To find vectors Xg 
and yt, we merely need to consider the vectors 

Xg = Xg^I\-^) and ?/t = I ® V'tl^), 

where may take the vectors to be real |Tsi80j . Recall that we are only interested 
in the inner products. But clearly we can then bound the dimension of our vectors 
as the number of our vectors is strictly limited and thus cannot span a space of 
dimension larger than N. 

To construct observables corresponding to a given set of vectors, consider 
the generators of a Clifford algebra Fi, . . . ,r7v with evei][^ that we already 



encountered in Section 4.3, i.e., we have that for all j ^ k E [N], {Tj, Tk} = and 
r'j = I. Note that we also have TrlTjTk) = Sjk as the two matrices anti-commute. 
Consider two vectors Xg, yt G with Xg = {xl, . . . , x^) and yt = {y}, . . . , y^). 
Define Xg = xiTj and Yt = E,e[;v] vi^j and let \^) = (l/Vd) 1^)1^) 

with d = 21-^/^-1 be the maximally entangled state. We then have 

{^\Xg ® Ytm = ^J^xiytTriTjT,) = ^ J] a;i?/,^Tr(I) = Xg ■ yt- 

jk j 



^If N is odd, we obtain one additional element from Tq. 
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Note that in principle we could have chosen any set of orthogonal operators 
Fi, . . . jFiv to obtain the stated equality. However, we obtain from their anti- 
commutation that 

jk jk j 

since = 1. Hence, Xg has eigenvalues in { — 1,1} as desired. Curiously, 

ri,...,rjv were also the right choice of operators to obtain good uncertainty 
relations in Chapter |4.3 



6.4 The use of post-measurement information 

Looking back to Chapter [3} we see that we have already encountered the same 
structure in the context of post-measurement information. Recall that there our 
goal was to determine y given some Pyb G {pyb \ y E y and b & B} after receiv- 
ing additional post-measurement information b. In particular, as we explain in 
more detail in Chapter |8] we see that the question of how much post-measurement 
information is required is the same as the following: given a set of observables, 
how large does our quantum state have to be in order to implement the resulting 
non-local game? However, we can further exploit the relationship between these 
two problems to prove a gap between the optimal success probability in the set- 
ting of state discrimination (STAR) and the setting of state discrimination with 
post- measurement information (PI-STAR). In particular, we show that for some 
problems, if we can succeed perfectly in the setting of PI-STAR without keeping 
any qubits at all, our success at STAR can in fact be bounded by a Bell-type 
inequality! Of course, PI-STAR itself is not a non-local problem. However, as we 
saw in Appendix [Bl the commutation relations which are necessary for Bob to 



succeed at PI-STAR perfectly in Lemma |3.5.1[ do induce a bipartite structure. 
We now exploit the structural similarity of the two problems. 

We first consider the very simple case of two bases and a Boolean function. 
Here, it turns out that we can bound the value of the STAR problems using 
the CHSH inequality. We do this by showing a bound on the average of two 



equivalent STAR problems, illustrated in Figures 6^ and 6A_ The XOR function 
considered in Chapter |3] is an example of such a problem. Below we construct 
a generalization of the CHSH inequality which allows us to make more general 
statements. We state our result in the notation introduced in Chapter [3j For 
simplicity, we use indices -|- and x to denote two arbitrary bases and use the 
notation STAR(po, • • • , Pn-i) to refer to a state discrimination problem between 
n different states. 



6.4.1. Lemma. Let Px{x) = 1/2" for all x e {0, 1}" and let f : {0, 1}" {0, 1} 
be any Boolean function. Let B = {+, x} denote a set of two bases, and suppose 
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there exists a unitary U such that po+ = Upo^W , pi+ = Upi+W , pix = t/pox^^^ 
and pox = U piy^W . Suppose Boh succeeds at PI-STARo{f) with probability p = 1. 
Then he succeeds at STAR{pQ, pi) with probability at most 3/4, where po = (po+ + 
Pox)/2, pi = (pi+ + pix)/2. 



Proof. Let Pq^, Pi+, Pqx and Pix be projectors onto the support of po+, 
pi_t-, pox and pix respectively. Suppose that Bob succeeds with probabihty p 
at STAR(po,pi). Then there exists a strategy for Ahce and Bob to succeed at 
the CHSH game with probabihty p, where Ahce's measurements are given by 
{Po+,Pi+} and {Pox, Pix}: 

Let Po = (po+ + Pix)/2 and pi = (pi+ + pox)/2. Note that since there exists 
such a U, we have that Bob succeeds at STAR(po,pi) with probabihty p as welL 
Suppose that Ahce and Bob share the maximally entangled state |\I/ab)®" with 
\^ab) = (|00) + |ll))/\/2. With probability 1/2 Alice chooses measurement 
setting X = and then her measurement is given by {Po+,Pi+}. Let a denote 
her measurement outcome. Bob's system is now in the state pa+- Similarly, with 
probability 1/2 Ahce sets x = 1 and measures {Pox,-Pix}, which leaves Bob's 
system in the state pax- Let y denote Bob's measurement setting. The CHSH 
game now requires Bob to obtain a measurement outcome b such that x-y = a(Bb. 
Thus, for y = 0, Bob always tries to obtain b = a which means he wants to solve 
STAR(po,pi). For y = 1, Bob tries to obtain 6 = a for x = but b = 1 — a 
for a; = 1, i.e., he wants to solve STAR(po,pi). Since Bob chooses y G {0,1} 
uniformly at random, we obtain the stated result. 

Now suppose that Bob succeeds at PI-STARo(/) with probability p = 1. We 
know from Lemma 3.5.1 that for all y,y' E y and b,b' E B we have [Pyb, Py'b'] = 
where Pyb is a projector onto the support of Pyb- Now, suppose that on the 
contrary he succeeds at STAR(po,pi) with probability greater than 3/4. Then 
we know from the above argument that there exists a strategy for Alice and Bob 
to succeed at the CHSH game with probability greater than 3/4 where Alice 
measures two commuting observables, which contradicts Corollary |6.3.3 □ 







X 




X 













1 











Figure 6.3: Original problem 



Figure 6.4: Derived problem 



It may appear unrealistic to assume that the two STAR problems are es- 
sentially equal. Note however, that this is indeed the case in the example of 
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the XOR function and two mutually unbiased bases (e.g. computational and 
Hadamard). The unitary here is just U = cTz ® I®"--!^ as cr^ acts as a bit- flip in 
the Hadamard basis, but leaves the computational basis invariant. We saw in the 



proof of Theorem |3.3.5| that such unitaries exist for any choice of two bases from 
the computational, Hadamard and K-basis. Indeed, for the XOR function on a 
string of length n with n even we saw that for STAR the optimal probability is 
p = 3/4, whereas for PI-STAR we obtained p = 1, as expected. 

To generalize this approach, we need to consider more complicated inequali- 
ties. In general, there are many possibilities for such inequalities, and one should 
choose an inequality that reflects the equivalences of possible STAR problems: 
For example, for the XOR function the CHSH inequality is a good choice as we 
could identify U = a^®!'^""^ to give us an equivalence between the two problems. 
Of course, we would like to ensure that for one of Bob's measurement settings 
he needs to solve the original STAR problem where Bob's goal is to determine 
Alice's measurement outcome. At the same time, we would like to minimize the 
number of possibly inequivalent additional STAR problems created in a similar 
proof, i.e. we would like to find an inequality where Bob has only a small number 
of measurement settings. As an example, we consider the following easy way to 
extend the CHSH inequality. Here, we assume that Alice has equally many mea- 
surement outcomes as she has measurement settings. In the language of PI-STAR 
that means we have wlog A = y = S = B. We fix the number of Bob's measure- 
ment settings to 2, but allow an arbitrarily large number of settings \S\ = \B\ 
for Alice. Wlog we use T = {0, 1} and S = {0, . . . ,\B\ — 1}. We now define the 
predicate V with the help of the function r/ for s G S* and t E T. Let Tq(?/) = y 
for all s G 5* and let Ti{y) = y and Tf{y) = a'^iy) for all s G {1, . . . , \B\ — 1}, 
where a = [1, . . . ,\B\ — 1) is the cyclic permutation. We now define the inequal- 
ity as a non-local game with predicate V{a,h\s,t) = 1 if and only if 6 = T^{a). 
Intuitively, this means that if Bob chooses setting t = he is required to solve 
the original STAR problem, where he tries to guess Alice's measurement out- 
come. For the setting t = 1 he has to solve the problem where the values of y are 
shifted depending on the basis. Note that the CHSH inequality is a special case 



of this inequality. Recall from Section 6.2.3 that the optimal value of a classical 



game can always be attained by a deterministic strategy. Let fA'-S-^y and 
fs'-T—^y denote the functions implementing this strategy for Alice and Bob 



respectively. Looking at Eq. (6.3) we see that we can write 



u;,(G) = max ^ $^[r/(/^(.)) = /^(t)], 

' t,s 



where [x = y\ = l\i and only iix = y. It is easy to see that for a uniform choice of 
Alice and Bob's measurements, the best thing Bob can do is answer /^(t) = x for 
all t where we choose any fixed x & y and let x = /a(s) for all s E S, i.e. Alice and 
Bob agree on a particular outcome which will always be their answer regardless 
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of their setting. For t = this means that Bob is always correct, and for t = 1 he 
will be correct if Ahce obtained a = 0. We then have ujc{G) = (|i3| + l)/(2|;B|). 
For the CHSH case, this gives us uJc{G) = 3/4 as expected. It is now possible to 
make a similar statement then in Lemma |6.4.1 for a bigger PI-STAR problem. 

The connection to Bell inequalities helped us understand the case where there 
exists a clear gap between the two problems. Here, post-measurement informa- 
tion was extremely helpful to us. However, as we saw in Chapter |3] there do 
exist cases where post-measurement information is entirely useless: we can do 
equally well without it, if we cannot store any quantum information. Interest- 
ingly, in the example of the XOR function on an odd number of input bits this 
happens exactly when the corresponding states correspond to a measurement 
that maximally violates CHSH. We have thus reached an extremal point of our 
problem. Is it possible to find conditions on a set of states which determine when 
post-measurement information is indeed useful? 



6.5 Conclusion 

As we saw, entanglement is an inherent aspect of quantum theory. We can experi- 
mentally violate Bell's inequality, because we can indeed measure non-commuting 
observables. The existence of such violations is, next to uncertainty relations and 
locking, another consequence of the existence of non-commuting measurements 
within quantum theory. This illustrates their close link to uncertainty relations, 
locking and even post-measurement information we encountered in the preceding 
chapters. In essence, in all these tasks we are faced with exactly the same prob- 
lem: what are the consequences of non-commuting measurements? And how can 
we find maximally "incompatible" measurements? 

In the following chapters, we examine entanglement from a variety of view- 
points. In Chapter [7| we first consider Bell inequalities, and show how to find 
upper bounds on their violation in a quantum setting. Our approach allows us to 
find the optimal measurements for any bipartite correlation inequality with two- 
outcome measurements in a very easy manner. We then consider more general 
multipartite inequalities. Sadly, our method does not easily apply for more gen- 
eral inequalities. In fact, it is not even clear how large our optimization problem 
would have to be. We therefore consider a related problem in Chapter [8] Given 
a probability distribution over measurement outcomes, how large a state do we 
need to implement such a strategy? We prove a very weak lower bound on the 
dimension on the resulting state for a very restricted class of games. Finally, we 
consider the effects that entanglement has on classical protocols in Chapter [9) To 
this end we examine interactive proof systems where the two provers are allowed 
to share entanglement. Surprisingly, it turns out that two such provers can be 
simulated by just a single quantum prover. 



Chapter 7 



Finding optimal quantum strategies 



In the previous chapter, we encountered the CHSH inequahty and its generahza- 
tions in the guise of quantum games. Tsirelson has proven an upper bound on the 
CHSH inequahty that can be achieved using a quantum strategy. But how can we 
prove upper bounds for more general inequahties? Or actually, how can we find 
the optimal measurement strategy? In this chapter, we answer these questions for 
a restricted class of inequalities by presenting a method that yields the optimal 
strategy for any two-player correlation inequality with n measurement settings 
and two measurement outcomes, i.e. an XOR-game. 



7.1 Introduction 

Optimal strategies for generalized inequalities not only have applications in com- 
puter science with regard to interactive proof systems, but may also be important 
to ensure security in cryptographic protocols. From a physical perspective find- 
ing such bounds may also be helpful. As Braunstein and Caves |BC90b] have 
shown, it is interesting to consider inequalities based on many measurement set- 



tings, in particular, the chained CHSH inequality in Eq. |7.1| below: Here, the 
gap between the classical and the quantum bound is larger than for the origi- 
nal CHSH inequality with only two measurement settings. This can be helpful 
in real experiments that inevitably include noise, as this inequality leads to a 
larger gap achieved by the optimal classical and the quantum strategy, and may 
thus lead to a better test. However, determining bounds on the correlations that 
quantum theory allows remains a difficult problem |BM05j . All Tsirelson-type 
bounds are known for correlation inequalities with two measurement settings and 
two outcomes for both Ahce and Bob |Tsi93j . Landau |Lan88j has taken a step 
towards finding Tsirelson-type bounds by considering when two-party correla- 
tions of two measurement settings for both Alice and Bob can be realized using 
quantum measurements. Filipp and Svozil |FS04j have considered the case of 
three measurement settings analytically and conducted numerical studies for a 
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larger number of settings. Werner and Wolf |WW01a] also considered obtaining 
Tsirelson-type bounds for two-outcome measurements for multiple parties and 
studied the case of three and four settings explicitly. However, their method is 
hard to apply to general inequalities. Finally, Buhrman and Massar have shown a 
bound for a generalized CHSH inequality using three measurement settings with 
three outcomes each |BM05j . It is not known whether this bound can be attained. 

Our approach is based on semidefinite programming in combination with 



Tsirelson's seminal results |Tsi80t ITsi87t ITsi93] as outlined in Section 6.3.2 See 
Appendix|X]for a brief introduction to semidefinite programming. It is very easy 
to apply and gives tight bounds as we can find the optimal measurements explic- 
itly. Let X and Y be Alice's and Bob's observables, and let |\E') be a state shared 
by Alice and Bob. The key benefit we derive from Tsirelson's construction is that 
it saves us from the need to maximize over all states |\E') and observables. In- 
stead, we can replace any terms of the form {^\X (8> ^|^) with the inner product 
of two real unit vectors x ■ y, and then maximize over all such vectors instead. 
Our method is thereby similar to methods used in computer science for the two- 
way partitioning problem |BV04j and the approximation algorithm for MAXCUT 
by Goemans and Williamson |GW95j . Semidefinite programming allows for an 
efficient way to approximate Tsirelson's bounds for any CHSH-type inequalities 
numerically. However, it can also be used to prove Tsirelson type bounds ana- 
lytically. As an illustration, we first give an alternative proof of Tsirelson's origi- 
nal bound using semidefinite programming. We then prove a new Tsirelson-type 
bound for the following generalized CHSH inequality |Per93(, IBCQOb] . Classically, 
it can be shown that 



n-1 



I 5^(X,F,) + J2{Xi+iY^ - (Xir„)| < 2n - 2. (7.1) 

i=l 1=1 

Here, we show that for quantum mechanics 



n-1 



+ - {X,Y^)\ < 2ncos ( 
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2n 



where {Xi, . . . , X„} and [Yi, . . . , Yn} are observables with eigenvalues ±1 em- 
ployed by Alice and Bob respectively, corresponding to their n possible measure- 
ment settings. It is well known that this bound can be achieved |Per93t IBCQOb] 
for a specific set of measurement settings if Alice and Bob share a singlet state. 
Here, we show that this bound is indeed optimal for any state |\E') and choice of 
measurement settings. This method generalizes to other CHSH inequalities, for 
example, the inequahty considered by Gisin |Gis99] . 
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7.2 A simple example: Tsirelson's bound 

To illustrate our approach we first give a detailed proof of Tsirelson's bound 
using semidefinite programming. This proof is more complicated than Tsirelson's 
original proof. However, it serves as a good introduction to the following section. 
Let Xi,X2 and Yi,Y2 denote the observables with eigenvalues ±1 used by Alice 
and Bob respectively. Our goal is now to show an upper bound for 



From Theorem |6.3.4| we know that there exist real unit vectors Xs,yt G M such 
that for all s,t E {0, 1} (XgYt) = Xs-yt- In order to find Tsirelson's bound, we thus 
want to solve the following problem: maximize xi-yi+xi-y2+X2-yi—X2-y2, subject 
to II Xi II = II X2 II = II yi II = II y2 II = 1- Note that we can drop the absolute 
value since any set of vectors maximizing the above equation, simultaneously leads 
to a set of vectors minimizing it by taking —yi, —y2 instead. We now phrase this 
as a semidefinite program. Let G = [gij] be the Gram matrix of the vectors 
{xi,X2,yi,y2} ^ with respect to the inner product: 



G 



f xi- xi xi- X2 xi -yi Xi-y2 \ 

X2 -Xi X2- X2 X2 -yi X2- 1/2 

yi -xi yi- X2 yi ■y2 Vi- y2 

\ y2-xi y2- X2 1/2 -yi 2/2 ■ 1/2 / 



G can thus be written as G = B^B where the columns of B are the vectors 
{xi, X2, 1/1, 1/2}- By |HJ85t Theorem 7.2.11] we can write G = B^B if and only if 
G is positive semidefinite. We thus impose the constraint that G > 0. To make 
sure that we obtain unit vectors, we add the constraint that all diagonal entries 
of G must be equal to 1. Define 



W 



/ 1 1 \ 
1-1 

110 

\ 1 -1 / 



Note that the choice of order of the vectors in B is not unique, however, a different 
order only leads to a different W and does not change our argument. We can 
now rephrase our optimization problem as the following SDP: 

maximize ^Ti (GW) 

subject to G > and Vi, gu = 1 

We can then write for the Lagrangian 



L{G, A) = -Tt{GW) - Tr(diag(A)(G - J)), 
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where A = (Ai, A2, A3, A4). The dual function is then 



supTr \^-W - diag(A)J J + Tr(diag(A)) 

Tr(diag(A)) if - diag(A) ^ 
00 otherwise 



We then obtain the following dual formulation of the SDP 

minimize Tr(diag(A)) 
subject to -^W + diag(A) > 

Let p' and d' denote optimal values for the primal and Lagrange dual problem 
respectively. From weak duality it follows that d' > p'. For our example, it is not 
difficult to see that this is indeed true as we show in Appendix |A} 

In order to prove Tsirelson's bound, we now exhibit an optimal solution for 
both the primal and dual problem and then show that the value of the pri- 
mal problem equals the value of the dual problem. The optimal solution is well 
known |Tsi80t ITsi87t IPer93] . Alternatively, we could easily guess the optimal 
solution based on numerical optimization by a small program for MatlatQ and 
the package SeDuMi [SAJ for semidefinite programming. Consider the following 
solution for the primal problem 



G' 





1 





1 

f 


1 







1 














1 


1 


1 







V2 


V2 


V 


1 
V2 


1 

V2 





1 



which gives rise to the primal value p' = \Ti{G'W) = 2\/2. Note that G" > since 
all its eigenvalues are non-negative |HJ85l Theorem 7.2.1], and all its diagonal 
entries are 1. Thus all constraints are satisfied. The lower left quadrant of G' is 
in fact the same as the well known correlation matrix for 2 observables |Tsi93t 
Equation 3.16]. Next, consider the following solution for the dual problem 



A' 



V2 



;i, 1,1,1). 



The dual value is then d' = Tr(diag(A')) = 2^2. Because -W + diag(A') > 0, A' 
satisfies the constraint. Since p' = d', G' and A' are in fact optimal solutions for 
the primal and dual respectively. We can thus conclude that 



which is Tsirelson's bound [TsiSOj . By Theorem 6.3.4, this bound is achievable. 



^See http://www.cwi.nl/~wehner/tsircl/ for the Matlab example code. 
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7.3 The generalized CHSH inequality 



We now show how to obtain bounds for inequahties based on more than 2 ob- 
servables for both Ahce and Bob. In particular, we prove a bound for the chained 
CHSH inequahty for the quantum case. It is well known |Per93j that it is possi- 
ble to choose observables Xi, . . . , Xn and Yi, . . . ,Yn, and the maximally entangled 
state, such that 

n n— 1 

I + - {XM\ = 2ncos (1^) . 



1=1 



i=l 



We now show that this is optimal. Our proof is similar to the last section. 
However, it is more difficult to show feasibility for all n. 

7.3.1. Theorem. Let p E A ® B be an arbitrary state, where A and B denote 
the Hilbert spaces of Alice and Bob. Let Xi, . . . , X„ and Yi, . . . , F„ be observables 
with eigenvalues ±1 on A and B respectively. Then 



n 

E 

i=l 



n-1 



(X,F,) + ^(X.+iF.) - (Xir„)| < 2ncos ( 

i=l 



2nJ ' 



Proof. By Theorem |6.3.4[ our goal is to find the maximum value for Xi ■ + X2 ■ 
yi+X2-y2 + X3-y2 + - ■ . + Xn-yn-xi-yn, ioT real unit vectors Xi, ...,?/„ G 
M^". As above we can drop the absolute value. Let G = [gij] be the Gram 
matrix of the vectors {xi, . . . , x„, yi, . . . , yn} ^ IR^"- As before, we can thus write 
G = B^B, where the columns of B are the vectors {xi, . . . ,Xn,yi, ■ ■ ■ ,yn}, if 
and only if G > 0. To ensure we obtain unit vectors, we again demand that all 
diagonal entries of G equal 1. Define n x n matrix A and 2n x 2n matrix W by 



A 



W 



At 
A 



/I 1 ... \ 

Oil : 
; ■•. ■•. 

1 1 

V -1 ... 1 / 

We can now phrase our maximization problem as the following SDP: 

maximize ^Tt{GW) 

subject to G > and Vz, gu = 1 

Analogous to the previous section, the dual SDP is then: 

minimize Tr(diag(A)) 
subject to -^W + diag(A) > 

Let p' and d' denote optimal values for the primal and dual problem respectively. 
As before, d' > p'. 
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Primal We now show that the vectors suggested in |Per93j are optimal. For 

k E [n], choose unit vectors Xk,yk G 1^^" to be of the form 

Xk = (cos(0fe),sin((/)fe),O, . . . ,0), 
yk = (cos(?/'fc) , sin(?/;fc) , 0, . . . , 0) , 

where 0^ = ^(2^ — 2) and ipk = ^(2^ — 1)- The angle between Xk and yk is 
given hj ipk — (pk = ^ and thus Xk ■ yu = cos (^)- The angle between Xk+i and 
yk is 0fc+i - V^fc = ^ and thus Xk+i ■ yk = cos (^). Finally, the angle between 
—Xi and yn is n — ipn = ^ and so — Xi ■ y„ = cos (^). The value of our primal 
problem is thus given by 

n n—1 

p' = ^ ■ yfc + ^ Xk+i ■ yk - xi ■ yn = 2n cos j . 

k=l k=l 

Let G' be the Gram matrix constructed from all vectors Xk, yk as described earlier. 
Note that our constraints are satisfied: Vz : ga = 1 and G' > 0, because G' is 
symmetric and of the form G' = B^B. 



Dual Now consider the 2n-dimensional vector 




In order to show that this is a feasible solution to the dual problem, we have to 
prove that —\W + diag(A') > and thus the constraint is satisfied. To this end, 
we first show that 

2. Claim. The eigenvalues of A are given by 'js = 1 + e*'^*^^''"'"^^/" with s = 
0,...,n- 1. 

Proof. Note that if the lower left corner of A were 1, A would be a circulant 
matrix |Gra71j . i.e. each row of A is constructed by taking the previous row and 
shifting it one place to the right. We can use ideas from circulant matrices to 
guess eigenvalues 7^ with eigenvectors 

where ps = e~*'^(^''+^)/" and s = 0, . . . , n — 1. By definition, u = {ui, U2, ■ ■ ■ , Un) 
is an eigenvector of A with eigenvalue 7 if and only if Au = 7M. Here, Au = 7M 
if and only if 

(i) Vj G {1, . . . , n - 1} : Uj + Uj+i = -fUj, 

(a) -Ml + Un= lUn- 
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Since for any j G {1, . . . , n — 1} 



„, _l_ „, ^ _ „n-j _|_ „n-j-l 



(i) is satisfied. Furthermore (ii) is satisfied, since 



_g-i7r(2s+l)gi7r(2s+l)/n _|_ -j^ 
X _|_ g«T(2s+l)/ra _ 

7sP° = IsUn- 



□ 



3. Claim. The largest eigenvalue ofW is given by •y = 2 cos (^). 

Proof. By |HJ85l Theorem 7.3.7], the eigenvalues of W are given by the singular 
values of A and their negatives. It follows from Claim |2] that the singular values 
of A are 



Considering the shape of the cosine function, it is easy to see that the largest 
singular value of A is given by a/2 + 2 cos(7r/n) = y^4cos^(7iy(2n)y, the largest 
eigenvalue of W is a/2 + 2 cos(7r/n) = 2 cos(7r/ (2n)). □ 

Since —\W and diag(A') are both Hermitian, Weyl's theorem |HJ85t Theorem 
4.3.1] implies that 

7mm + diag(A')^ > Irmn + 7mm (diag(A')) , 

where 'jmin{M) is the smallest eigenvalue of a matrix M. It then follows from the 
fact that diag(A') is diagonal and Claim [3] that 



(-^W^ + diag(A0) >-^(2cos(; 



7mm ( -^Vr + diag(A') ) > (2cosf^)) +cos(^) =0. 



Thus -^W + diag(A') > and A' is a feasible solution to the dual problem. The 
value of the dual problem is then 



d' = Tr(diag(A')) = 2ncos ( —] 

\2n/ 
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Because p' = d', G' and A' are optimal solutions for the primal and dual respec- 
tively, which completes our proof. □ 



Note that for the primal problem we are effectively dealing with 2-dimensional 



vectors, Xk,yk- As we saw in Section 6.3.2, it follows from Tsirelson's construc- 
tion |Tsi93] that in this case we just need a single EPR pair such that we can 
find observables that achieve this bound. In fact, these vectors just determine 
the measurement directions as given in |Per93j . 



o.s 



0.6 ■ 



0.4 ■ 



■Alice 
■Dob 



■\ \ 

\ ^ 



\ 



/ 
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." ■/■ 

1 / 



/ 



Figure 7.1: Optimal vectors for n = 4 obtained numerically using Matlab. 



7.4 General approach and its applications 
7.4.1 General approach 

Our approach can easily be generalized to other correlation inequalities. For 
another inequality, we merely use a different matrix A in W . For example, for 
Gisin's CHSH inequality jGis99j . A is the matrix with I's in the upper left half 
and on the diagonal, and -I's in the lower right part. Otherwise our approach 
stays exactly the same, and thus we do not consider this case here. Numerical 
results provided by our Matlab example code suggest that Gisin's observables are 
optimal. Given the framework of semidefinite programming, the only difficulty 
in proving bounds for other inequalities is to determine the eigenvalues of the 
corresponding A, a simple matrix. All bounds found this way are tight, as we 
can always implement the resulting strategy using a maximally entangled state 
as shown in Section 16.3.21 

With respect to finding numerical bounds, we see that the optimal strategy 
can be found in time exponential in the number of measurement settings: The 
size of the vectors scales exponentially with the number of settings, however, we 
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can fortunately find the optimal vectors in time polynomial in the length of the 
vectors using well-known algorithms for semidefinite programming |B V04j . 



7.4.2 Applications 

In Chapter [9} we will see that the mere existence of such a semidefinite program 
has implications for the computational complexity of interactive proof systems 
with entanglement. Cleve, H0yer, Toner and Watrous |CHTW04a] have also 
remarked during their presentation at CCC'04 that Tsirelson's constructions leads 
to an approach by semidefinite programming in the context of multiple interactive 
proof systems with entanglement, but never gave an explicit argument. 

The above semidefinite program has also been used to prove results about 
compositions of quantum games, in particular, parallel repetitions of quantum 
XOR-games |CSUU07] . One particular type of composition studied by Cleve, 
Slofstra, linger and Upadhyay |CSUU07] is the XOR-composition of non-local 
games. For example, an XOR-composition of a CHSH game is a new game where 
Alice and Bob each have n inputs xi, . . . , x„ and . . . , ?/„ with Xj, yj G {0, 1} 
and must give answers a and b such that a (B b = ^ Xj ■ yj. In terms of our 
semidefinite program, this is indeed easy to analyze. The matrix defining the 
game is now given by 




Note that the eigenvalues of W are given by ±^-f{A)-f{A)* where 7(A) = ±(^2)" 
is an eigenvalue of A®". Consider the matrix G = I + W/{\/2)'^. Clearly, 
W/{^/2)'^ has eigenvalues ±1 so we have G > 0. Thus G is a valid solution 
to our primal problem, for which we obtain p = Tt{GW)/2 = (2-\/2)^. Consider 
A = (1, . . . , l)((v^)'^/2). Clearly, it is a valid solution to our dual problem as 
—W/2 + diag(A) > 0, again using Weyl's theorem. This gives for our dual prob- 
lem d = Tr(diag(A)) = (2v^)" = p and thus our primal solution is optimal. For 
more general problems, such a composition may be more complicated as the dual 
solution is not immediately related to the eigenvalues of W. Nevertheless, it can 
be readily evaluated using Schur's complement trick |CSUU07] . By rewriting, one 
can then relate such compositions to the questions of parallel repetition: Given 
multiple runs of the game, does there exist a better quantum measurement than 
executing the optimal strategy of each round many times? It is very interest- 
ing that this is in fact not true for XOR-games |CSUU07] . However, there exist 
inequalities and specific quantum states for which collective measurements are 
better. Such examples can be found in the works of Peres |Per96j and Liang and 
Doherty jLDOGj . Sadly, our approach fails here. 
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7.5 Conclusion 

We have provided a simple method to obtain the optimal measurements for any 
bipartite correlation inequality, i.e. any two-player XOR game. Our method 
easily allows us to obtain bounds using numerical analysis, but also suits itself to 
construct analytical proofs as demonstrated by our examples. However, the above 
discussion immediately highlights the shortcomings of our approach. How can we 
find the optimal strategies for more generalized inequalities, where we have more 
than two players or a non-correlation inequality? Or more than two measurement 
outcomes? How can we find the optimal strategy for a fixed quantum state that 
is given to Alice and Bob? To address more than two measurement outcomes, we 
can rescale the observables such that they have eigenvalues in the interval [—1,1]. 
Indeed, examining Tsirelson's proof, it is easy to see that we could achieve the 
same by demanding that the vectors have a length proportional to the number of 
settings. However, it is clear that the converse of Tsirelson's theorem that allows 
us to construct measurement from the vectors can no longer hold. Indeed, any 
matrix M = Ylj ^j^j that can be written as a sum of anti-commuting matrices 
Xi, . . . ,Xn with Xj = I and ~ ^ must have eigenvalues ±1 itself since 

= Ejk ^j^kXjXk = (Zj I = I- 

Since the completion of this work, exciting progress has been made to an- 
swer the above questions. Liang and Doherty |LD07j have shown how to ob- 
tain lower and upper bounds on the optimal strategy achievable using a fixed 
quantum state using semidefinite programming relaxations. Kempe, Kobayashi, 
Matsumoto, Toner and Vidick |KKM"'"07] have since shown that there exist three- 
player games for which the optimal quantum strategy cannot be computed using 
a semidefinite program that is exponential in the number of measurement set- 
tings unless P=NP. Finally, Navascues, Pironio and Acm |NPA07j have shown 
how to obtain bounds for general two-party inequalities with more measurement 
outcomes using semidefinite programming, inspired by Landau |Lan88j . Their 
beautiful approach used successive hierarchies of semidefinite programs to obtain 
better and better bounds. In their approach, they consider whether a given dis- 
tribution over outcomes can be obtained using a quantum strategy. Sadly, it does 
not give a general method to construct actual measurements and thus show that 
an obtained bound is tight. A similar result obtained using an approach that is 
essentially dual to |NPA07j has been obtained in |DLTW08] . which also proves a 
convergence result for such a hierarchy. 

One of the difficulties we face when trying to find tight bounds for more general 
inequalities is to determine how large our optimization problem has to be. But 
even if we are given some distribution over possible outcomes, how can we decide 
how large our system has to be in order to implement a quantum strategy? In 
general, this is a tricky problem which we will consider in the next chapter. 



Chapter 8 



Bounding entanglement in NL-games 



In the previous chapter, we provided a simple method to determine the optimal 
quantum strategy for two-outcome XOR games. However, when trying to find 
the optimal strategies for more general games, we are faced with a fundamental 
issue: How large do we have to choose our state and measurements such that we 
can achieve the optimal quantum value? 

8.1 Introduction 

Determining an upper bound and the amount of entanglement we need, given 
the description of the game alone, turns out to be a tricky problem in the gen- 
eral case. Hence, we address an intermediate problem: Given the description of 
a non-local game and associated probabilities, how large a state do Alice and 
Bob need to implement such a strategy? Navascues, Pironio and Acm |NPA07] 
and also |DLTW08] have shown how to obtain upper bounds for the violation of 
more general quantum games using multiple hierarchies of semidefinite programs. 
However, their method does not provide us with an explicit strategy, and it re- 
mains unclear how many levels of the hierarchy we need to consider in order to 
obtain a tight bound. Yet, from their method we can obtain a probability distri- 
bution over measurement outcomes. Using our approach, we can then determine 
an extremely weak lower bound on the dimension of the quantum state we would 
need in order to implement a corresponding quantum strategy. 

The idea behind our approach is to transform a non-local game into a random 
access code. A random access code is an encoding of a string into a quantum 
state such that we can retrieve at least one entry of our choice from this string 
with some probability. Intuitively, Alice's measurements will create an encoding. 
Bob's choice of measurement then determines which bit of this "encoding" he 
wants to retrieve. We prove a general lower bound for any independent one- 
to-one non-local game among n players, where a one-to-one non-local game is a 
game where for each possible measurement setting there exists exactly one correct 
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measurement outcome. In particular, we show that in any one-to-one non-local 
game where player Pj obtains the correct outcome a G Aj for any measurement 
setting s G 5*^ with probability p the dimension d of player Pj's state obeys 

^ > 2{\og\A,\-H{p)-{l-p)\og{\A,\-l))\S,\_ 

Even though our bound is very weak, and the class of games very restricted, we are 
hopeful that our approach may lead to stronger results in the future. Finally, we 
discuss how we could obtain upper bounds from the description of the non-local 
game alone without resorting to probability distributions. 



8.2 Preliminaries 

Before we can prove our lower bound, we first introduce the notion of a random 
access code. For our purposes, we need to generalize the existing results on 
random access codes. We use M(p) to denote the random variable corresponding 
to the outcome of a measurement M on a state p. We also use to denote an 
n-element string where each element is chosen from an alphabet A. We will also 
use the notation sl^ to denote the string s = (si, . . . , s„) without the element Sj. 

8.2.1 Random access codes 



A quantum (n, m, p)-random access code (RAC) |ANTV99| Nay99| over a binary 



alphabet is an encoding of an n-bit string x into an m-qubit state p^ such that for 
any i G [n] we can retrieve Xi from p^ with probability p. Note that we are only 
interested in retrieving a single bit of the original string x from p^. In general, it 
is unlikely we will be able to retrieve more than a single bit. For such codes the 
following lower bound has been shown |Nay99 Theorem 2.3], where it is assumed 



that the original strings x are chosen uniformly at random: 

8.2.1. Theorem (Nayak). Any {n,m,p)-random access code has m > (1 — 
Hip))n. 

In the following, we make use of a generalization of random access codes to 
larger alphabets. We also need two additional generalizations: First, we also 
want to obtain a bound on such a RAC encoding if the string x is chosen from a 
slightly more general, possibly non-uniform, distribution. Let Pxt be a probability 
distribution over S and let Px = Pxi x . . . x Px„ be a probability distribution over 
S". That is, a particular string x is chosen with probability Px{x) = H^^iPxtixt) ■ 
Note that we assume that the individual entries of x are chosen independently. 

Second, we allow for unbalanced random access codes, where each entry of the 
string X may have a different probability of being decoded correctly. We define 
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8.2.2. Definition. An {n,m, {pi, . . . ,p„))|s|-unbalanced random access code (URAC) 
over a finite alphabet S is an encoding of an n-element string x G into an 
m-qubit state px sucli tliat for any t E [n], there exists a measurement Mj with 
outcomes S such that for all x G S" we have PT[Mt{px) = Xt] > Pt- 

Fortunately, it is straightforward to extend the analysis of Nayak |Nay99| to 
this setting. We extend the proof by Nayak as opposed to other known proofs 
of this lower bound in order to deal with unbalanced random access codes more 
easily. 

8.2.3. Lemma. Let Px = Pxi x . . . x Px„ be a probability distribution over E". 
Then any {n,m, {pi, . . . , pn))\T,\-unbalanced random access code has 



m>J2 H{Xt) - H{pt) - (1 - Pt) log(|S| - 1) 



t=i 



where Xt is a random variable chosen from S according to the probability distri- 
bution Pxt. 

Proof. The proof follows along the same lines as Lemma 4.1 and Claim 4.6 
of [Nay99| . We state the adaption for clarity: 

We first consider decoding a single element. Let a a with a G S be density 
matrices, and let P be a probability distribution over S. Define a = Xlaes P{'^)^a- 
Let M be a measurement with outcomes S that given any state cTq gives the 
correct outcome a with average probability p. Let X be a random variable over 
S chosen according to probability distribution P, and let Z he a. random variable 
over E corresponding to the outcome of the measurement. It now follows from 
Fano's inequality (see for example |Hay06 Theorem 2.2]) that X(X, Z) = H{X) — 



H{X\Z) > H{X) - H{p) - (1 - log(|E| - 1). Using Holevo's bound, we then 
have S{a) > Eaes ^(«)'^(^a) + HiX) - Hip) - (1 -p) log(|S| - 1). 

We now consider an entire string x encoded as a state px- Consider k with 
n > k > and define py = Yjzf^T,^-'' ^l^P^y ^i^^ = WJ^^_j^Pxj{zj) where we 
used indices z = Zn, ■ ■ ■ , Zn-k and Px to denote the probability distribution over 
S according to which the j-th entry was encoded. We now claim that S{py) > 

Y.a<^Y.Px,,^k{(^)S{pay) + H{Xn-k) " H{pn-k) - (1 " Pn-fc) log(|S| - 1). The prOof 

follows by downward induction over k: Consider n = k, clearly S{py) > and the 
claim is valid. Now suppose our claim holds for k + 1. Note that we have py = 
"l^aeE Px„^ki^)Pay Note that strings encoded by the density matrices pay only 
differ by one element a G S. We can therefore distinguish them with probability 
Pn-k- From the above discussion we have that S{py) > "^aeT, Pxn-ki^)^iPay) + 

H{Xn-k) - H{pn-k) - (1 - Pn-k) log(|S| - 1). 

Using the inductive hypothesis, letting y be the empty string and using the 
fact that S{p) < logd = m then completes the proof. □ 
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8.2.2 Non-local games and state discrimination 

For our purpose, we need to think of non-local games as a special form of state 
discrimination. When each subset of players performs a measurement on their 
part of the state, they effectively prepare a certain state on the system of the 
remaining players. Let denote the state of Player Pj if the remaining play- 
ers chose measurement settings slj and obtained outcomes d_j. Note that the 
probability that player Pj holds x^I^. is Pr[a_j,s_j] = Pr[a_j|s„j]n^^ £_^j.7r^(s£). 
Define the state 

where ql] = ^(^^1^) Pr[a_j|s_j] to ensure normalization. We call a 

game independent, if the sets of probabilities {q"^. \ aj G Aj} and {q^^ \ G Aj} 
are uncorrelated for all measurement settings u,v E Sj with u ^ v. Note that 
qa] is the probability that player Pj holds state Caj, and that 'Yla eA 'i'^] ~ ^ 
since the game is one-to-one. If player Pj now chooses measurement setting Sj he 
is effectively trying to solve a state discrimination problem, given the ensemble 
{qZXaMj e Aj}. 



Note that we already encountered this viewpoint in Chapter 6.4, Consider 
the simple case of the CHSH game. Here, Alice (Player 1) and Bob (Player 2) 
had to give answers ai and 02 for settings si and S2 such that si ■ S2 = ai Q) a2- 
Let denote Bob's state if Alice chose measurement setting si and obtained 
outcome ai. If Bob chooses setting S2 = 0, he has to solve the state discrimination 



problem described by Figure 6.3 he must answer 02 = 0,1, and hence his goal 
is to learn ai. That is, he must solve the state discrimination problem given by 
Po = (Co + Cd)/2 and pi = (Ci + Ci)/2- For S2 = 1, he has to solve the problem 



given by Figure [6^ For si = 0, he must answer 02 = ai, but for si = 1 he must 
answer 02 7^ ai. Hence, he must solve the state discrimination problem given by 
Po = (Co° + Cl)/2 and p, = (C? + Co')/2. 



8.3 A lower bound 

We now show how to obtain a random access encoding from a one-to-one non-local 
game. This enables us to find a lower bound on the dimension of the quantum 
state necessary for any player Pj to implement particular non-local strategies. 
Recall that we are trying to give a bound given all parameters of the game. In 
particular, we are given the probabilities Pr[a_j|s'_j] that the remaining players 
obtain outcomes a_j for their measurement settings S-j, as well as the value of 
the game. Note that we do not need to know an actual state and measurement 
strategy for the players. We just want to give a lower bound for a chosen set of 
parameters, whether these can be obtained or not. 



8.3. A lower hound 
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8.3.1. Theorem. Any one-to-one independent non-local game where player Pj 
obtains the correct outcome aj G Aj for measurement setting sj G 5*^- with 
probability ps^ for all S-j G Si x . . . x Sj-i x Sj+i x ... x Sn and a^j G 
Ai X . . . X Aj_i X Aj+i X ... X An is a {\Sj\,m, {pi, ... ,p\s\))\A {-unbalanced 
random access code. 



Proof. To encode a string, the other players choose measurement settings S-j 
and measure their part of the state as in the non-local game to obtain outcomes 
S-j. Note that the string is chosen randomly by the measurement. Since our 
game was one-to-one we can define a function 

g{s^j, a-j) = fi{s-j,a-j), . . . , f\s,\{s-j, a.j). 

Let X = g{s-j,a_j) be the encoded string and note that px = Xgi]- We have 
-Pxi(c) = qc\ since our game is one-to-one. Since our game is independent, we 
have that Px is a product distribution. To retrieve the t-th entry of x, player 
Pj then has to distinguish (a^ as in the non-local game which he can do with 
probability . by assumption. □ 



Now that we can obtain a random access code from a non-local game, we can 
easily give a lower bound on the dimension of the state from a lower bound of 



the size of the random access code. It follows immediately from Theorem 8.3.1 
and Lemma [8.2.31 that 

8.3.2. Corollary. In any one-to-one independent non-local game where player 
Pj obtains the correct outcome a G Aj for measurement setting s G Sj with 
probability p^ for all measurement settings s_j G 5*1 x . . . x S'j_i x Sj+i x . . . x S^- 
and outcomes a_j G x . . . x Aj_i x Aj^i x . . . x Aj^ of the other players, the 
dimension d of player Pj 's state obeys 

^ > 2e15i ^^(^0-J^{pt)-(i-pOiog(|A,|-i)^ 

where Xt is a random variable chosen from Aj where Pr[Xt = a] = q\. 

For almost all known games, we can obtain a simplified bound as each player 
will choose a measurement setting uniformly at random. Likewise, in most cases 
we can assume that the probability that the players obtain certain outcomes is 
also uniform. Indeed, if we do not know a particular measurement strategy for 
a given game, we can find a bound if we assume that the distribution over the 
outcomes given the choice of measurement settings is uniform. In this case, we 
also assume that the probability of giving the correct answer is the same for each 
possible choice of measurement settings and is equal to the value of the game. 
We then obtain 
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8.3.3. Corollary. In any one-to-one independent non-local game where player 
Pj obtains the correct outcome a G Aj for any measurement setting s G Sj with 
probability p where g* = l/|Aj| for all t G 5*-,- and measurement settings S-j G 
5*1 X ... X Sj^i X Sj+i X ... X Sj\f and outcomes a^j G x . . . x Aj_i x Aj+i x. . .xA^ 
of the other players, the dimension d of player Pj 's state obeys 

^ y 2{log(\A,\)~H{p)~(l-p)log(\A,\~l)}\S,\_ 

Note that if we are willing to assume that the optimal value of the game is 
achieved when the players share a maximally entangled state, we can improve 
this bound to ci > max^ 2('°s(I^^I)-^(p)-(i~p)'°s(I^jI-i))I^jI. 

Let's look at a small example which illustrates the proof. Consider the CHSH 
inequality. Here, we have only two players, Alice (Player 1) and Bob (Player 
2). Bob's goal is to obtain an outcome 02 such that Si ■ Si = ai + 02 mod 2. 
This means we define the function g{si,ai) = x as 5^(0,0) = 0,0, g{l,0) = 1, 1, 
5^(0, 1) = 1, and g{l, 1) = 0, 1. For the lower bound we do not need to consider 
a specific encoding, however, for the well-known CHSH state and measurements 
we would have an encoding of poo = |0)(0|, poi = |~)(~|) Pio = I +)(+!; and pu = 
|1)(1| and ql_^ = q^.^ = 1/2 for all Xi,X2 G {0, 1}. How many qubits does Bob need 
to use if he wants to give the correct answers with probability p = 1/2 + 1/(2^2)? 
Since everything is uniform we obtain logrf > (1 — H{p))2 ^ 0.8, i.e.. Bob needs 
to keep at least one qubit. 

Our bound contains a tradeoff between the probability p of giving the cor- 
rect answer, the number of measurement settings, and the number of possible 
outcomes. Clearly, our bound will only be good, if the number of measurement 
settings is large. It is also clear that it performs badly as p approaches 1/2 
and \Aj\ is large, and thus for most cases our bound will be very unsatisfactory. 
The following figures illustrate the tradeoff between the different parameters of 
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8.4 Upper bounds 

Ideally, we would find an upper bound on the amount of entanglement we need 
purely from the description of the game alone. Clearly, Tsirelson's construction 



from Chapter 6.3.2 tells us that for any XOR game the local dimension of Alice's 
and Bob's system is d < 2^^^, where N is the number of measurement settings. 
Similarly to XOR games, we can consider mod /c-games. Here, Alice and Bob 
have to give answers oi, 02 given questions si, si such that /(si,S2) = 01 + 02 
mod k for some function f : Si x S2 ^ {0, ■ ■ ■ , k — 1} . One may hope that for 
mod fc-games, similarly than for XOR-games, the following holds: 

8.4.1. Conjecture. For any mod k-game, the dimension of Alice's and Bob's 
systems obeys d < k^/"^, where N is the number of measurement settings for Alice 
and Bob. 



8.4- Upper bounds 
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An alternative approach to bounding the dimension would be to consider how 



far we can reduce the size of an existing state and observables using Lemma 6.3.1 



Suppose that Alice has only two measurement settings Xq = Xq — X^ and Xi = 
X^ - Xl with + = I and + X} = I. We know from Lemma |3. 5. 2] that 
there exist projectors llj such that we can decompose Xg as Xg = J2j ^j-^s^j 
for s, 6 e 0,1, where rank(nj) < 2. Hence, we can immediately conclude from 
Lemma 6.3.1 that if Alice only measures two possible observables with two out- 
comes each, the dimension of her state does not need to exceed d = 2. This has 
previously been proved by Masanes |Mas06j . Could we prove something similar 
for three measurement settings? Sadly, Theorem 3.5.7 tells us that this is not 
possible! There do exist three measurements for which no such decomposition 
exists. It is not hard to see that the question of how large Alice's entangled 
state has to be given a specific set of measurement operators is essentially equiv- 
alent to the question of how many qubits we need to store in the problem of 
post-measurement information to achieve perfect success. In both settings we are 
interested in reducing the dimension by finding a way to block-diagonalize the 
matrices. 
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Figure 8.2: Tradeoff for 2 outcomes. 

8.5 Conclusion 

Bounding tlie amount of entanglement tliat we need to implement the optimal 
strategy in non-local games remains a tricky problem. We have given a simple 
lower bound on the amount of entanglement necessary for an extremely restricted 
class of games. The CHSH game forms an instance of such a game. Even though 
our bound is very weak, and the class of games quite restricted, we are hopeful 
that our approach may lead to stronger statements in the future. We also showed 
how our earlier considerations and Tsirelson's construction led to an upper bound 
for the specific case of XOR-games. Sadly, better bounds still elude us so far. 



Chapter 9 



Interactive Proof Systems 



As we saw in the past chapters, two spatially separated parties, Alice and Bob, can 
use entanglement to obtain correlations that are impossible to achieve classically, 
without any additional communication. However, there do exist classical systems 
whose strength, or security, indeed depends crucially on the fact that specific 
parties cannot communicate during the course of the protocol. How are such 
systems affected by the presence of entanglement? Can Alice and Bob use their 
shared entanglement to gain a significant advantage? Here, we study interactive 
proof systems which are a specific case of such a classical system. Surprisingly, 
it turns out that the space-like separation is lost alltogether and we can simulate 
two classical parties with just a single quantum one. 



9.1 Introduction 

9.1.1 Classical interactive proof systems 

Before getting to the heart of the matter, we first need to take a closer look 
at interactive proof systems. Classical interactive proof systems have received 
considerable attention |BFL91l IBOGKW881 ICCL901 iFfeMl [LS9T1 IFL92] since 
their introduction by Babai |Bab85] and Goldwasser, Micali and Rackoff |GMR89] 
in 1985. An interactive proof system takes the form of a protocol of one or 
more rounds between two parties, a verifier and a prover. Whereas the prover 
is computationally unbounded, the verifier is limited to probabilistic polynomial 
time. Both the prover and the verifier have access to a common input string x. 
The goal of the prover is to convince the verifier that x belongs to a pre-specified 
language L. The verifier's aim, on the other hand, is to determine whether the 
prover's claim is indeed valid. In each round, the verifier sends a polynomial 
(in x) size query to the prover, who returns a polynomial size answer. At the 
end of the protocol, the verifier decides to accept, and conclude x E L, or reject 
based on the messages exchanged and his own private randomness. A language 
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has an interactive proof if there exists a verifier V and a prover P such that: If 
X G L, the prover can always convince V to accept. If a; ^ L, no strategy of 
the prover can convince V to accept with non-negligible probability. IP denotes 
the class of languages having an interactive proof system. Watrous |Wat99] first 
considered the notion of quantum interactive proof systems. Here, the prover 
has unbounded quantum computational power whereas the verifier is restricted 
to quantum polynomial time. In addition, the two parties can now exchange 
quantum messages. QIP is the class of languages having a quantum interactive 
proof system. Classically, it is known that IP = PSPACE |Sha92t IShe92] . where 
P SPACE is the class of languages decidable using only polynomial space. For the 
quantum case, it has been shown that PSPACE C QIP C EXP |Wat99l IKWOOj . 
If, in addition, the verifier is given polynomial size quantum advice, the resulting 
class QlP/qpoly contains all languages |Raz05j . Let QIP(/c) denote the class 
where the prover and verifier are restricted to exchanging k messages. It is known 
that QIP = QIP(3) |KWOO] and QIP(l) C PP |Vya03i [MW05] . where PP is the 
class of all problems solvable by a probabilistic machine in polynomial time. We 
refer to |MW05] for an overview of the extensive work done on QIP(l), also 
known as QMA. Very little is known about QIP(2) and its relation to either PP 
or PSPACE. 

In multiple-prover interactive proof systems the verifier can interact with mul- 
tiple, computationally unbounded provers. Before the protocol starts, the provers 
are allowed to agree on a joint strategy, however they can no longer communicate 
during the execution of the protocol. Let MIP denote the class of languages hav- 
ing a multiple-prover interactive proof system. Here, we are especially interested 
in two-prover interactive proof systems as introduced by Ben-Or, Goldwasser, Kil- 
ian and Widgerson |BOGKW88] . Babai, Fortnow and Lund |BFL91j . and Feige 
and Lovasz [FL92j have shown that a language is in NEXP if and only if it has a 
two-prover one-round proof system, i.e., MIP [2] = NEXP. Feige and Lovasz have 
also shown that a system using more than two-provers is thus no more powerful 
than a system with only two provers, i.e., MIP [2] = MIP. Let ©MIP [2] denote 
the restricted class where the verifier's output is a function of the XOR of two 
binary answers. Even for such a system ©MIP [2] = NEXP, for certain soundness 
and completeness parameters |CHTW04aj . Classical multiple-prover interactive 
proof systems are thus more powerful than classical proof systems based on a 
single prover, assuming PSPACE ^ NEXP. 



9.1.2 Quantum multi-prover interactive proof systems 

Given the advent of quantum computing, one can also consider quantum in- 
teractive proof systems with multiple provers. These can be grouped into two 
categories: First, one can consider provers and a verifier that are quantum them- 
selves and can exchange quantum messages. Kobayashi and Matsumoto have 
considered such quantum multiple-prover interactive proof systems which form 
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an extension of quantum single prover interactive proof systems as described 
above. Let QMIP denote the resulting class. In particular, they showed that 
QMIP = NEXP if the provers do not share quantum entanglement |KM03] . If 
the provers share at most polynomially many entangled qubits the resulting class 
is contained in NEXP |KM03] . 

Secondly, one can consider proof systems where all communication remains 
classical, but the provers can share any entangled state as part of their strategy 
on which they are allowed to perform arbitrary measurements. Cleve, H0yer, 
Toner and Watrous |CHTW04aj have raised the question whether a classical two- 
prover system is weakened in such a setting. We write MIP* if the provers share 
entanglement. The authors provide a number of examples which demonstrate that 
the soundness condition of a classical proof system can be compromised, i.e. the 
interactive proof system is weakened, when entanglement is used. In their paper, 
it is proved that ©MIP* [2] C NEXP. Later, the same authors also showed that 
©MIP* [2] C EXP using semidefinite programming |CHTW04b] . Entanglement 
thus clearly weakens an interactive proof system, assuming EXP 7^ NEXP. 

Intuitively, entanglement allows the provers to coordinate their answers, even 
though they cannot use it to communicate. By measuring the shared entan- 
gled state the provers can generate correlations which they can use to deceive 
the verifier. Tsirelson |Tsi80t ITsi87j has shown that even quantum mechanics 
limits the strength of such correlations, as we saw in Chapter [6j Recall that 
Popescu and Roehrlich |PR94t IPR96t IPR97] have raised the question why na- 
ture imposes such limits. To this end, they constructed a toy-theory based on 
non-local boxes |PR94tlvD00j . which are hypothetical "machines" generating cor- 
relations stronger than possible in nature. In their full generalization, non-local 
boxes can give rise to any type of correlation as long as they cannot be used to 
signal. Preda |Pre05 ] showed that sharing non-local boxes allows two provers to 
coordinate their answers perfectly and obtained ©MIP^l = PSPACE, where we 
write ©MIPnl to indicate that the two provers share non-local boxes. 

Kitaev and Watrous |KW00j mention that it is unlikely that a single-prover 
quantum interactive proof system can simulate multiple classical provers, because 
then from QIP C EXP and MIP = NEXP it follows that EXP = NEXP. 

Surprisingly, it turns out that when the provers are allowed to share entan- 
glement it can be possible to simulate two such classical provers by one quantum 
prover. This indicates that entanglement among provers truly leads to a weaker 
proof system. In particular, we show that a two-prover one-round interactive 
proof system where the verifier computes the XOR of two binary answers and the 
provers are allowed to share an arbitrary entangled state, can be simulated by a 
single quantum interactive proof system with two messages: ©MIP* [2] C QIP (2). 
Since very little is known about QIP (2) so far |KWOO] . we hope that our result 
may help shed some light on its relation to PP or PSPACE. Our result also leads 
to a proof that ©MIP* [2] C EXP. 
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9.2 Proof systems and non-local games 
9.2.1 Non-local games 

For our proof, it is necessary to link interactive proof systems to non-local games, 



as we described in Chapter 6.2.3 Since we consider only two parties, we omit 



unnecessary indices and use separate letters to refer to the sets of possible ques- 



tions and answers. We briefly recap our setup, summarized in Figure 9.1[ Let S, 
T, A and B be finite sets, and vr a probability distribution on S" x T. Let V be 
a predicate on SxTxAxB. Then G = vr) is the following two-person 
cooperative gam^ A pair of questions (s,t) G S* x T is chosen at random ac- 
cording to the probability distribution vr. Then s is sent to player 1, henceforth 
called Alice, and t to player 2, which we call Bob. Upon receiving s, Alice has 
to reply with an answer a G A. Likewise, Bob has to reply to question t with an 
answer h E B. They win if V{s,t,a,h) = 1 and lose otherwise. Alice and Bob 
may agree on any kind of strategy beforehand, but they are no longer allowed 
to communicate once they have received questions s and t. The value uj{G) of a 
game G is the maximum probability that Alice and Bob win the game. We write 
V{a, b\s, t) instead of V{s, t, a, b) to emphasize the fact that a and b are answers 
given questions s and t. 

Here, we are particularly interested in non-local games. Alice and Bob are 
allowed to share an arbitrary entangled state to help them win the game. Let 
and denote the Hilbert spaces of Alice and Bob respectively. The state 
l^') G is part of the quantum strategy that Alice and Bob can agree on 

beforehand. This means that for each game, Alice and Bob can choose a specific 
|\E') to maximize their chance of success. In addition, Alice and Bob can agree 
on quantum measurements. For each s E S, Alice has a projective measurement 
described by {X" | a G ^} on H^. For each t E T, Bob has a projective 
measurement described by {F/ | b G B} on H^. For questions {s,t) G 5* x T, 
Alice performs the measurement corresponding to s on her part of |\Ef) which gives 
her outcome a. Likewise, Bob performs the measurement corresponding to t on 
his part of |\E') with outcome b. Both send their outcome, a and b, back to the 
verifier. The probability that Alice and Bob answer {a,b) E A x B is then given 
by 

The probability that Alice and Bob win the game is now given by 

Pr[Alice and Bob win] = ^ 7r(s, t) ^ ^(a, (g) (9.1) 

s,t a,b 

The quantum value ojq{G) of a game G is the maximum probability over all 
possible quantum strategies that Alice and Bob win. Recall that XOR game is 



^Players 1 and 2 collaborate against the verifier 
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Figure 9.1: A one-round XOR proof system. 



a game where the value of V only depends on c = a (B b and not on a and b 
independently. For XOR games we write V{c\s,t) instead of V{a,b\s,t). Here, 
we are only interested in the case that a G {0, 1} and b G {0, 1} and XOR games. 
Alice and Bob's measurements are then described by for s G 5 and 

F/} for t G T respectively. Note that X° + Xj = I and 1"^° + ^^° = I and thus 
these measurements can be expressed in the form of observables Xg and Yt with 



eigenvalues ±1: Xs = X^-X^ and Yt = Y^^-Y^^. Recall from Chapter [O^ that 
Tsirelson |Tsi80l ITsi87j has shown that for any |\E') G Ti.^ ® Ti.^ there exists real 
unit vectors Xs,yt G with = jS"] + |T| such that (^|X, ® = {xs\yt)- 



It is then easy to see from Eq. (9.1) that for XOR games we can express the 
maximum winning probability as 

u;,{G) = max ^ V 7r{s, t) V V{c\s, t) (1 + {-iy{xM) , (9-2) 

s,t c 

where the maximization is taken over all unit vectors Xs,yt G M^. 



9.2.2 Multiple classical provers 

It is well known |CHTW04a| IFL92] , that two-prover one- round interactive proof 
systems with classical communication can be modeled as (non-local) games. Here, 
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Alice and Bob take the role of the two provers. The verifier now poses questions 
s and t, and evaluates the resulting answers. A proof system associates with each 
string X a game Gx, where u!{Gx) determines the probability that the verifier 
accepts (and thus concludes x E L). The string x, and thus the nature of the 
game is known to both the verifier and the provers. Ideally, for all x G L the 
value of uj{Gx) is close to one, and for x ^ L the value of uj{Gx) is close to zero. 
It is possible to extend the game model for MIP[2] to use a randomized predicate 
for the acceptance predicate V. This corresponds to V taking an extra input 
string chosen at random by the verifier. However, known applications of MIP[2] 



proof systems do not require this extension [ Fei95j . Our argument in Section 9.3| 
can easily be extended to deal with randomized predicates. Since V is not a 
randomized predicate in jCHTW04a] . we follow this approach. 

We concentrate on proof systems involving two provers, one round of commu- 
nication, and single-bit answers. The provers are computationally unbounded, 
but limited by the laws of quantum physics. However, the verifier is proba- 
bilistic polynomial time bounded. As defined by Cleve, H0yer, Toner and Wa- 
trous |CHTW04a] . 

9.2.1. Definition. For < s < c < 1, let ©MIPc,42] denote the class of all 
languages L recognized by a classical two-prover interactive proof system of the 
following form: 

• They operate in one round, each prover sends a single bit in response to 
the verifier's question, and the verifier's decision is a function of the parity 
of those two bits. 

• If a; e L then there exists a strategy for the provers for which the probability 
that the verifier accepts is at least c (the completeness probability). 

• If X ^ L then, whatever strategy the two provers follow, the probability 
that the verifier accepts is at most s (the soundness probability). 

9.2.2. Definition. For < s < c < 1, let ©MIP*,,[2] denote the class cor- 
responding to a modified version of the previous definition: all communication 
remains classical, but the provers may share prior quantum entanglement, which 
may depend on x, and perform quantum measurements. 

We generally omit indices c, s, unless they are explicitly relevant. 

In Chapter [7], we discussed how to find the optimal strategies for XOR-games. 
In particular, we saw that we can determine the optimal value of ujg{Gx) in 
time exponential in mind^l, |T|) using semidefinite programming. This implies 
immediately that ©MIP* C EXP, as was shown by Cleve, H0yer, Toner and Wa- 
trous |CHTW04a] during their presentation at CCC'04. Here, we show something 
stronger, namely that ©MIP* C QIP(2). 
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9.2.3 A single quantum prover 

Instead of two classical provers, we can also consider a system consisting of a 
single quantum prover Pq and a quantum polynomial time verifier Vq as defined by 
Watrous |Wat99j . Again, the quantum prover Pq is computationally unbounded, 
however, he is limited by the laws of quantum physics. The verifier and the prover 
can communicate over a quantum channel. In this thesis, we are only interested in 
one round quantum interactive proof systems: the verifier sends a single quantum 
message to the prover, who responds with a quantum answer. We here express 
the definition of QIP(2) |Wat99j in a form similar to the definition of ©MIP*: 

9.2.3. Definition. Let QIP(2,c, s) denote the class of all languages L recog- 
nized by a quantum one-prover one-round interactive proof system of the follow- 
ing form: 

• If X G L then there exists a strategy for the quantum prover for which the 
probability that the verifier accepts is at least c. 

• Ifx ^ L then, whatever strategy the quantum prover follows, the probability 
that the quantum verifier accepts is at most s. 



9.3 Simulating two classical provers with one 
quantum prover 

We now show that an interactive proof system where the verifier bases his decision 
only on the XOR of two binary answers is in fact no more powerful than a system 
based on a single quantum prover. The main idea behind our proof is to combine 
two classical queries into one quantum query, and thereby simulate the classical 
proof system with a single quantum prover. Similar techniques have been used 
to prove results about classical locally decodable codes |KW03t IWdW05j . Recall 
that the two provers can use an arbitrary entangled state as part of their strategy. 
For our proof we make use of the fact that we can write the optimal value of 



the game as in Eq. (9.2) 



9.3.1. Theorem. For all s and c such that < s < c < 1, ©MIP* J2] C 
QIP(2,c,s). 

Proof. Let L G ©MIP* ^[2] and let Ve be a verifier witnessing this fact. Let 
P^ (Alice) and P^ (Bob) denote the two provers sharing entanglement. Fix an 
input string x. As mentioned above, interactive proof systems can be modeled as 
games indexed by the string x. It is therefore sufficient to show that there exists 
a verifier Vg and a quantum prover Pq, such that uJsim{Gx) = ujq{Gx), where 
^sim{Gx) is the value of the simulated game. 
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Let s,t be the questions that Vg sends to the two provcrs P^ and P^ in the 
original game. The new verifier Vg now constructs the following state in V (8) Al 

V M V M 

and sends register M. to the single quantum provcr Pq. 

We first consider the honest strategy of the prover. Let a and h denote the 
answers of the two classical provers to questions s and t respectively. The quantum 
prover now transforms the state to 

\^Honest) = ^ (("1)'^ JO)^ |OHf) +(-1)' , 

V M V M 

and returns register M. back to the verifier. The verifier Vq now performs a 
measurement on V ® described by the following projectors 

Po = |v[/+)(vl/+|®/ 
Pi = |vE'-)(vI/-|® J 

Pr eject — I -fo Pli 

where = (|0)|0)|s)± |l)|l)|t))/\/2. If he obtains outcome "reject", he imme- 
diately aborts and concludes that the quantum prover is cheating. If he obtains 
outcome m G {0, 1}, the verifier concludes that c = a ® h = m. Note that 
Pr[m — a® b\s,t\ = honest] Pa® honest) = 1; SO the Verifier can reconstruct the 
answer perfectly. 

We now consider the case of a dishonest prover. In order to convince the 
verifier, the prover applies a transformation on Ai^V and send register Ai back 
to the verifier. We show that for any such transformation the value of the resulting 
game is at most ujq{Gx)- Note that the state of the total system inV ® M. ®V 
can now be described as 

\^,^sh) = ^iiom + mt)) 

where l^^) = E«65'uT'k)K) and \(f)t) = J2veS'uT' with S' = {Os|s e 
S} and T' — {it\t £ T}. Any transformation employed by the prover can be 
described this way. We now have that 

Pr[m = o\s,t] = {^,ish\Po\^dish) = + im)) + lm<mm 

Pr[m = IM = I Pi I = \{{al\al) + {PM)) - ^3?((a:|/?*)|9.4) 

The probability that the prover wins is given by 

Pr [Prover wins] = 7r(s, t) V{c\s,t)PY[m = c\s,t]. 
s,t ce{o,i} 
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The prover will try to maximize his chance of success by maximizing Pr[m = 0|s, t] 
or Pr[m = l|s,t]. We can therefore restrict ourselves to considering real unit 
vectors for which (af jaf) = 1 and = 1, as the dimension of our vectors is 

directly determined by their number. Hence, we may also assume that \al) =0 
iff s 7^ s' and = iff t 7^ t': any other strategy can lead to rejection and 



thus to a lower probability of success. By substituting into Eqs. (9.3) and (9.4), 
it follows that the probability that the quantum prover wins the game (when he 
avoids rejection) is 

I vr(., t)V{c\s, t){l + {~inal\(3l)). (9.5) 



2 



s,t,c 



In order to convince the verifier, the prover's goal is to choose real vectors \a'l) 
and 1(3^) which maximize Eq. (9.5). Since in 10^) and \(j)t) we sum over |S"| + |T'| = 



15*1 + |T| elements respectively, the dimension of V need not exceed = 15*1 + |T|. 
Thus, it is sufficient to restrict the maximization to vectors in RI'^I+I-^L Given 



Eq. (9.5), we thus have 



u;,UG.) = max ^ V n{s, t)V{c\s, t)(l + (-l)^(a:|A*)), 



where the maximization is taken over vectors {a^ G : s G S}, and G ™^ 



t G T}. However, we know from Eq. (9.2) that 



Ug{G,) = max^ V7r(s,t)\/(c|s,t)(l + (-l)^(x,|i/t)) 



s.t.c 



where the maximization is taken over unit vectors {xs G : s G 5*} and 
{yt^R^ -.te T}. We thus have 

(G,) = UJg{G,) 

which completes our proof. □ 
9.3.2. Corollary. For alls and c such thatO <s <c<l, ©MIP* J2] C EXP. 



Proof. This follows directly from Theorem 9.3.1 and the result that QIP(2) C 



EXP IKWOOj . □ 



148 



Chapter 9. Interactive Proof Systems 



9.4 Conclusion 

As we have shown, the strength of classical systems can be weakened considerably 
in the presence of entanglement. In our example above, we showed that the 
systems can be weakened so much that all space- like separation is lost: we saw 
that two classical parties with entanglement are as powerful as a single quantum 
party. 

It would be interesting to show that this result also holds for a proof system 
where the verifier is not restricted to computing the XOR of both answers, but 
some other Boolean function. However, the approach based on vectors from 
Tsirelson's results does not work for binary games. Whereas it is easy to construct 
a single quantum query which allows the verifier to compute an arbitrary function 
of the two binary answers with some advantage, it thus remains unclear how the 
value of the resulting game is related to the value of a binary game. Furthermore, 
mere classical tricks trying to obtain the value of a binary function from XOR 
itself seem to confer extra cheating power to the provers. 

Examples of non-local games with longer answers |CHTW04aj . such as the 
Kochen-Specker or the Magic Square game, seem to make it even easier for the 
provers to cheat by taking advantage of their entangled state. Furthermore, 
existing proofs that MIP = NEXP break down if the provers share entanglement. 
It is therefore an open question whether MIP* = NEXP or, MIP* C EXP. 

As described, non-locality experiments between two space-like separated ob- 
servers, Alice and Bob, can be cast in the form of non-local games. For ex- 
ample, the experiment based on the well known CHSH inequality |CHSH69] . 
is a non-local game with binary answers of which the verifier computes the 
XOR |CHTW04aj . Our result implies that this non-local game can be simu- 
lated in superposition by a single prover /observer: Any strategy that Alice and 
Bob might employ in the non-local game can be mirrored by the single prover in 
the constructed "superposition game" , and also vice versa, due to Tsirelson's con- 
structions |,Tsi80t tTsi87j mentioned earlier. This means that the "superposition 
game" corresponding to the non-local CHSH game is in fact limited by Tsirelson's 
inequality |Tsi80j . even though it itself has no non-local character. Whereas this 
may be purely coincidental, it would be interesting to know its physical inter- 
pretation, if any. Perhaps it may be interesting to ask whether Tsirelson-type 
inequalities have any consequences on local computations in general, beyond the 
scope of these very limited games. 
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Finally, we turn our attention to cryptographic protocols directly. As we saw in 
Chapter [T| it is impossible to implement bit commitment even in the quantum 
setting! In the face of the negative results, what can we still hope to achieve? 

10.1 Introduction 

Here, we consider the task of committing to an entire string of n bits at once 
when both the honest player and the adversary have unbounded resources. Since 
perfect bit commitment is impossible, perfect bit string commitment is clearly 
impossible as well. Curiously, however, we can still make interesting statements 
in the quantum setting, if we give both Alice and Bob a limited ability to cheat. 
That is, we allow Alice to change her mind about the committed string within 
certain limited parameters, and allow Bob to gain some information about the 
committed string. It turns out that it matters crucially how we measure Bob's 
information gain. 

First, we introduce a framework for the classification of bit string commit- 
ments in terms of the length n of the string, Alice's ability to cheat on at most a 
bits and Bob's ability to acquire at most h bits of information before the reveal 
phase. We say that Alice can cheat on a bits if she can reveal up to 2" strings suc- 
cessfully. Bob's security definition is crucial to our investigation: If h determines 
a bound on his probability to guess Alice's string, then we prove that a + 6 is at 
least n. This implies that the trivial protocol, where Alice's commitment consists 
of sending h bits of her string to Bob, is optimal. If, however, 6 is a bound on the 
accessible information that the quantum states contain about Alice's string, then 
we show that non-trivial schemes exist. More precisely, we construct schemes 
with a = 41ogn-fO(l) and 6 = 4. This is impossible classically. We also present 
a simple, implement able, protocol, that achieves a = 1 and b = n/2. This proto- 
col can furthermore be made cheat-sensitive. Quantum commitments of strings 
have previously been considered by Kent |Ken03j . who pointed out that in the 



151 



152 



Chapter 10. Limitations 



quantum world useful bit string commitments could be possible despite the no- 
go theorem for bit commitment. His scenario differs significantly from ours and 
imposes an additional constraint, which is not present in our work: Alice does 
not commit to a superposition of strings. 

10.2 Preliminaries 
10.2.1 Definitions 

We first formalize the notion of quantum string commitments in a quantum set- 
ting. 

10.2.1. Definition. An (n, a, 6) -Quantum Bit String Commitment (QBSC) is 
a quantum communication protocol between two parties, Alice (the committer) 
and Bob (the receiver), which consists of two phases: 

• ( Commit Phase) Assume that both parties are honest. Alice chooses a string 
X G {0, l}** with probability p^. Alice and Bob communicate and at the end 
Bob holds state p^. 

• (Reveal Phase) If both parties are honest, Alice and Bob communicate and 
at the end Bob outputs x. Bob accepts. 

We have the following two security requirements: 

• (Concealing) If Alice is honest, then for any strategy of Bob 

a;e{0,l}" 

where is the probability that Bob correctly guesses x before the reveal 
phase. 

• (Binding) If Bob is honest, then for any strategy of Alice 

xe{o,i}" 

where p^ is the probability that Alice successfully reveals x (Bob accepts the 
opening of x). 

Bob thereby accepts the opening of a string x, if he performs a test depending 
on the individual protocol to check Alice's honesty and concludes that she was 
indeed honest. Note that quantumly, Alice can always commit to a superposition 
of different strings without being detected. Thus even for a perfectly binding bit 
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string commitment (i.e. a = 0) we only demand that Ylix(^{oi}-^Px — 1; whereas 
classically one wants that p^, = S^y- Note that our concealing definition refiects 
Bob's a priori knowledge about x. We choose an a priori uniform distribution 
(i.e. Px = 2~") for (n, a, 6)-QBSCs, which naturally comes from the fact that we 
consider ra-bit strings. A generalization to any {Px,a,b)-ClBSC where Px is an 
arbitrary distribution is possible but omitted in order not to obscure our main 
line of argument. 

Instead of Bob's guessing probability, one can take any information measure 
B to express the security against Bob. In general, we consider an (n, a, 6)-QBSC^ 
where the new Concealing-condition reads 

• (General Concealing) If Alice is honest, then for any ensemble S = {px, Px} 
that Bob can obtain by a cheating strategy B{S) < b. 

Later, we will show that for B being the accessible information, non-trivial proto- 
cols, i.e. protocols with a + b <^ n, do exist. Recall that the accessible information 



was defined in Section 2.3.2 as lacciS) = maxM I{X,Y), where Px is the prior 
distribution of the random variable X, Y is the random variable of the outcome 
of Bob's measurement on S, and the maximization is taken over all measurements 
M. 



10.2.2 Model 

We work in the model of two-party non-relativistic quantum protocols of Yao 
|Yao95] ■ simplified by Lo and Chau |LC97] which is usually adopted in this con- 
text. Here, any two-party quantum protocol can be regarded as a pair of quantum 
machines (Alice and Bob), interacting through a quantum channel. Consider the 
product of three Hilbert spaces Ha, Hb and He of bounded dimensions, repre- 
senting the Hilbert spaces of Alice's and Bob's machines and the channel, respec- 
tively. Without loss of generality, we assume that each machine is initially in a 
specified pure state. Alice and Bob perform a number of rounds of communication 
over the channel. Each such round can be modeled as a unitary transformation 
on Ha ® He and Hb ® He respectively. Since the protocol is known to both 
Alice and Bob, they know the set of possible unitary transformations used in the 
protocol. We assume that Alice and Bob are in possession of both a quantum 
computer and a quantum storage device. This enables them to add ancillae to the 
quantum machine and use reversible unitary operations to replace measurements. 
The state of this ancilla can then be read off only at the end of the protocol, and 
by doing so, Alice and Bob can effectively delay any measurements until the very 
end. The resulting protocol will be equivalent to the original and thus we can 
limit ourselves to protocols where both parties only measure at the very end. 
Moreover, any classical computation or communication that may occur can be 
simulated by a quantum computer. 
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10.2.3 Tools 

We now gather the essential ingredients for our proof. First, we now show that 
every (n, a, 6)-QBSC is an (ra, a, 6)-QBSC^. The security measure ^{£) is defined 
by 

i{£) ■.= n-H2ipAB\p), (10.1) 

where pab = 'l2xPx\-'^)(-^\ ® P ~ YlxP^Px are only dependent on the 

ensemble £ = {px,Px}- -f^2(-|-) is an entropic quantity defined in |Ren05j 

/r „i i2 
H2{pab\p) ■■= -logTr MI Op ^)pAB 

Interestingly, this quantity is directly connected to Bob's maximal average prob- 
ability of successfully guessing the string: 



10.2.2. Lemma. Bob's maximal average probability of successfully guessing the 
committed string, i.e. sup]<^YlxP^Px\x^ where M = {M^} ranges over all mea- 
surements and Py^'^ = Tr(Myp^) is the conditional probability of outputting y 
given p^, obeys 

M ' 

X 

Proof. By definition, the maximum average guessing probability is lower 
bounded by the average guessing probability for a particular measurement strat- 
egy. We choose the square-root measurement which has operators 

Mx = PxP~^PxP~^- 

We use = 1i{MxPx) to denote the probability that Bob guesses x given px, 
hence 

log^p^pfjf^'' > log ^p^.Tr (p"^p^p-|p^) 



logTr ^pI\x){ 



"x 



X\<^ P ^pxP ^P'. 



logTr ^(I®p-^)p^B 
-H2{pab\p) 

□ 



Related estimates were derived in |BK02j . 

Furthermore, we make use of the following theorem, known as privacy ampli- 
fication against a quantum adversary with two-universal hash functions, which 
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we state in a form that is most convenient for our purposes in this chapter. 
A class JF of functions / : {0, 1}" {0, 1}^ is thereby called two-universal if 
for all X 7^ y G {0,1}" and for uniformly at random chosen f E we have 
Pr[/(a;) = f{y)] < 2~^. For example, the set of all affine function^ from {0, 1}"' 
to {0,1}^ is two-universal |CW79j . The following theorem expresses how hash 
functions can decrease Bob's knowledge about a random variable when he holds 
some quantum information. In our case. Bob will hold some quantum memory 
and privacy amplification is used to find Alice's attack. 



10.2.3. Theorem (Th. 5.5.1 in [IRenOS; (see also [KMEQ5])). Let Q be 



a 



class of two-universal hash functions from {0, 1}" to {0, 1}"^. Application of g G Q 
to the random variable X maps the ensemble E = {px,Px} to £g = {qy,^^} with 
probabilities = '}2xeg-i(y)Px o-'^d quantum states = Yl,x&g-^{y)Pxpx- Then 

^ y d{£g) < -2-'2\H2{pab\p)-s]^ (1q_2) 
\Q\ — ^ 2 

where d{£) := D( (S> p^, 1/2" (S> p) (and similarly for d{8g)). 

Finally, the following reasoning that is used to prove the impossibility of quan- 
tum bit commitment |LC97t May 9 6b | will be essential: Suppose po and pi are 



density operators that correspond to the state of Bob's system if Alice committed 
a "0" or a "1" respectively. Let |0o) and be the corresponding purifications 
on the joint system of Alice and Bob: Alice holds the purification of po and pi. If 
Po equals pi then Alice can find a local unitary transformation U that Alice can 
apply to her part of the system such that |0i) = U (S)I|0o). This enables Ahce to 
change the total state from |0o) to and thus cheat using entanglement! This 
reasoning also holds in an approximate sense |May96b] , here used in the following 
form: 



10.2.4. Lemma. Let D(po,pi) < e and assume that the bit- commitment protocol 
is error-free if both parties are honest. Then there exists a method for Alice to 
cheat such that the probability of successfully revealing a during the reveal phase, 
given that she honestly committed herself to a 1 during the commit phase, is at 
least 1 — \/2e. 

Proof. D(po,pi) < e implies maxj; |(0o|f^ ® > 1 ~ ^ by Uhlmann's theo- 

rem |Uhl76j . Here, |0o) and |0i) correspond to the joint states after the commit 
phase if Alice committed to a '0' or '1' respectively where the maximization ranges 
over all unitaries U on Alice's (i.e. the purification) side. Let l^/'o) = U ® 
for a U achieving the maximization, be the state that Alice prepares by applying 



Geometrically, an affine function is a linear function plus a translation 
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U to the state on her side when she wants to reveal a '1', given a prior honest 
commitment to '0'. We then have 

I^(l0o)(0o|,|^o)(^o|) = a/1-|(0o|^o)P 

If Bob is honest, the reveal phase can be regarded as a measurement resulting in a 
distribution Py (or Pz) if |0o) (or iV'o)) was the state before the reveal phase. The 
random variables Y and Z can take values {0, 1} (corresponding to the opened 
bit) or the value 'reject (r)'. Since the trace distance does not increase under 
measurements, D{Py,Pz) < £'(|0o)(</'o|, |^o)(V^o|) < V^e. Hence |(|Py(0) - 
Pz(0)| + |Py(l) - Pz(l)| + |Py(r) - Pz{r)\) < V2~e. Since |0o) corresponds to 
Alice's honest commitment to we have Py(0) = 1, Py(l) = Py(r) = and 
hence Pz(0) > 1 - V^e. □ 



10.3 Impossibility 

of quantum string commitments 

As we saw above, any (n, a, 6)-QBSC is also an {n, a, 6)-QBSCt with the security 



measure ^{S) defined in Eq. ( 10.1 ). To prove our impossibility result we now prove 
that an (n, a, 6)-QBSC^ can only exist for values a, b and n obeying a + b + c > n, 
where c is a small constant independent of a, b and n. This in turn implies the 
impossibility of an (n, a, 6)-QBSC for such parameters. Finally, we show that if 
we execute the protocol many times in parallel, the protocol can only be secure 
if a + 6 > n. 

The intuition behind our proof is simple: To cheat, Alice first chooses a two- 
universal hash function g. She then commits to a superposition of all strings for 
which g{x) = y for a specific y. We now know from the privacy amplification 
theorem above, that even though Bob may gain some knowledge about x, he is 
entirely ignorant about y. But then Alice can change her mind and reveal a string 
from a different set of strings for which g{x) = y' with y ^ y' as we saw above! 
The following figure illustrates this idea. 

10.3.1. Theorem. {n,a,b)-QBSC^ schemes with a + b + c<ndo not exist, 
where c = 5 log 5 — 4 ^ 7.61 is a constant. 

Proof. Consider an (n, a, 6)-QBSCg and the case where both Alice and Bob 
are honest. Alice committed to x. We denote the joint state of the system Alice- 
Bob-Channel Ha ® Hb ® Ti-c after the commit phase by {(p^) for input state 
Let px be Bob's reduced density matrix, and let S = {px,Px} where = 2"". 
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Figure 10.1: Moving from a set of string with g{x) = y to a set of strings with 
g{x) = {y mod 5) + 1. 



Assuming that Bob is honest, we will give a cheating strategy for Alice in the 
case where a + 6 + 5 log 5 — 4 < n. The strategy will depend on the two-universal 
hash function g : X = {Q, 1}" — 3^ = {0, 1}""*", for appropriately chosen m. 
Alice picks a. y E y and constructs the state i^xi^g-^{y) \^)\^))/ \/\9^^{y)\- She 
then gives the second half of this state as input to the protocol and stays honest 
for the rest of the commit phase. The joint state of Alice and Bob at the end of the 
commit phase is thus \'ip^) = {^x(^g-^{y) 1^)1^^))/ V\9~^iy)\- "^^^ reduced states 
on Bob's side are <^y = Y.xeg-^y)P^P^ with probability = Xlxeg-ife) P^;- We 
denote this ensemble by £g. Let = J2y1y'^y- 



We now apply Theorem 10.2.3 with s = n — m and ^{S) < b and obtain 
Pi X]geg d.{£g) < e where e = l2~2(™-~''). Hence, there is at least one g such that 
d{£g) < Intuitively, this means that Bob knows only very little about the value 
of g{x). This g defines Alice's cheating strategy. It is straightforward to verify 
that d{Sg) < e imphes 

2-(n-m) j^^^g^ < . (10.3) 

We therefore assume without loss of generality that Alice chooses y^ E y with 
D{al,aa)<2e. 



158 



Chapter 10. Limitations 



We first observe that the probabihty to successfully reveal some x in g^^{y) 
given is on^ We say that Alice reveals y if she reveals an x such that 
y = g{x). We then also have that the probability for Alice to reveal y given 
successfully is one. Let and denote the probabilities to successfully reveal 
X and y respectively and be the conditional probability to successfully reveal 
X, given y. We have 



P2 



where the inequality follows from our observation above. 

As in the impossibility proof of bit commitment, Alice can now transform 
iV^yo) approximately into if a^^ is sufficiently close to by using only lo- 
cal transformations on her part. Indeed, Lemma 10.2.4 tells us how to bound 
the probability of revealing y, given that the state was really I'lpyo). Since this 
reasoning applies to all on average, we have 



> 2"-™-2"-'"v^ /2"^-«^D«,(t|) 



> 2"-™ I 1 - 72 

> 2"-™(l-2v^) 



where the first inequality follows from Lemma 10.2.4, the second from Jensen's in- 



equality and the concavity of the square root function, the third from the triangle 



inequality and the fourth from Eq. (10.3) and -D(cr^^, a^) < 2e. Recall that to be 

secure against Alice, we require 2" > 2"~™'(1 — 2^/2e). We insert £ = 
define m = 6 + 7 and take the logarithm on both sides to get 



■him-b) 



a + b + 6 > n, 



where S 



7 



(10.4) 

2-7/4+1 > Q 



log(l — 2^'^/^+^). Keeping in mind that 1 
equivalently 7 > 4), we find that the minimum value of 6 for which Eq. (10.4) 
is satisfied is 5 = 5 log 5 — 4 and arises from 7 = 4(log5 — 1). Thus, no {n, a, b)- 
QBSC. with a-h& + 51og5-4<n exists. □ 



It follows immediately that the same restriction holds for an (n, a, 6)-QBSC: 



^Alice learns x, but can't pick it: she committed to a superposition and x is chosen randomly 
by measurement. 
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10.3.2. Corollary. {n,a,b)-QBSC schemes, with a + b + c < n do not exist, 
where c = 5 log 5 — 4 ^ 7.61 is a constant. 



Proof. For the uniform distribution 



condition that J2xPx\x 



< 2 , which by Lemma 



10.2.2 



we have from the conceahng 
imphes ^{£) < b. Thus, a 



(n,a,6)-QBSC is an (n, a, 6)-QBSC£ from which the result follows 



□ 



Since the constant c does not depend on a, b and n, multiple parallel executions 
of the protocol can only be secure if a + b > n. This follows by considering m 
parallel executions of the protocol as a single execution with a string of length 
mn. 

10.3.3. Corollary. Let P be an {n,a,b)-QBSC with P"" an {mn,ma,mb)- 
QBSC. Then n < a + b + c/m. In particular, no {n, a, b)-QBSC with a + b < n 
can be executed securely an arbitrary number of times in parallel. 

Thus, we can indeed hope to do no better than the trivial protocol. It follows 
directly from |KMP04j that the results in this section also hold in the presence 
of superselection rules, where, very informally, quantum actions are restricted to 
act only on certain subspaces of a larger Hilbert space. 



10.4 Possibility 

Surprisingly, if one is willing to measure Bob's ability to learn x using a weaker 
measure of information, the accessible information, non-trivial protocols become 
possible. These protocols are based on a discovery known as "locking of classical 
information in quantum states" which we already encountered in Chapter [5] 

The protocol, which we call LOCKCOM(n, U), uses this effect and is specified 
by a set W = {Ui, . . . ,U\u\} of unitaries. We have 



Protocol 1: LOCKCOM(n, W) 

1: Commit phase: Alice has the string x G {0, 1}" and randomly chooses 
r G {1, . . . , She sends the state Ur\x) to Bob, where Ur G U. 

2: Reveal phase: Alice announces r and x. Bob applies and measures in 
the computational basis to obtain x'. He accepts if and only if x' = x. 



We now first show that our protocol is secure with respect to Definition |10. 2. 1| if 

Alice is dishonest. Note that our proof only depends on the number of unitaries 
used, and is independent of a concrete instantiation of the protocol. 

10.4.1. Lemma. For any LOCKCOM{n,U) protocol the security against a dis- 
honest Alice is bounded by 2"- < \IA\, 
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Proof. Let denote the probability that Ahce reveals x successfully. Then, 
px < TlrPx^r, where px^r is the probability that x is accepted by Bob when the 
reveal information was r. Let p denote the state of Bob's system. Summation 
over X now yields 

X x,r 

= ^Tr|a;)(x|[/Jp[/, 

x,r 

= ^Trp = 2^ 

r 

□ 



In order to examine security against a dishonest Bob, we have to consider the 
actual form of the unitaries. We first show that there do indeed exist interesting 
protocols. Secondly, we present a simple, implementable, protocol. To see that 
interesting protocols can exist, let Alice choose a set of 0{n'^) unitaries indepen- 
dently according to the Haar measure (approximately discretized) and announce 
the resulting set U to Bob. They then perform LOCKCOM(n, W). Following the 
work of |HLSW04] . we now show that this variant is secure against Bob with 
high probability. That is, there exist 0{n^) unitaries that bring Bob's accessible 
information down to a constant: Iacc{^) < 4: 

10.4.2. Theorem. For n > 3, there exist {n,Alogn + 0{l),A)-QBSCj^^^ proto- 
cols. 

Proof. Let Uran denote the set of m randomly chosen bases and consider the 
LOCKCOM(n, a, 6) scheme using unitaries U = Uran- Security against Alice is 



again given by Lemma 10.4.1 We now need to show that this choice of unitaries 
achieves the desired locking effect and thus security against Bob. Again, let 
(i = 2" denote the dimension. As we saw in Section 15.2.11 we have that 



^acci^) < log d + max — H(X 



\4>) ^ m ' 



where Xj denotes the outcome of the measurement of \(j)) in basis j and the 
maximum is taken over all pure states According to |HLSW04l Appendix B] 
there is a constant C" > such that 



^ m 

Vi[ini — ^H{Xj) < (l-£)logd-3] 



4> m . ^ 



10.5. Conclusion 
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for d > 7 and e < 2/5. Set e = The RHS of the above equation 

then decreases provided that m > ^(logd)^. Thus with = 2" and logm = 
41og?T, + 0(1), the accessible information of the ensemble corresponding to the 
commitment is then Jacc{S) < logrf — (1 — e) logrf + 3 = elogd + 3 = 4 for our 
choice of e. □ 



Unfortunately, the protocol is inefficient both in terms of computation and 
communication. It remains open to find an efficient constructive scheme with 
those parameters. 

In contrast, for only two bases, an efficient construction exists and uses the 
identity and the Hadamard transform as unitaries. For this case, the security 
of the standard LOCKCOM protocol follows immediately from the locking argu- 
ments of Chapter [5] It has been shown that this protocol can be made cheat- 
sensitive |Chr05j . 

10.4.3. Theorem. L0CKC0M(n,l,n/2) usingU = {I^'', H'^''} %s a {n,l,n/2)- 
QBSCj protocol. 



Proof. The result follows immediately from Lemma 10.4.1 and the fact that by 



Corollary 5.2.3 lacdS) <n/2 for Bob. □ 



We can thus obtain non-trivial protocols by exploiting the locking effects dis- 
cussed in Chapter |5} Note, however, that the security parameters are very weak. 
Indeed, if Alice uses only two possible bases chosen with equal probability then 
Bob is always able to obtain the encoded string with probability at least 1/2: he 
simply guesses the basis and performs the corresponding measurement. 



10.5 Conclusion 

We have introduced a framework for quantum commitments to a string of bits. 
Even if we consider string commitments that are weaker than bit commitments, 
no non-trivial protocols can exist if we choose a very strong measure of security. 
A property of quantum states known as locking, however, allowed us to propose 
meaningful protocols for a much weaker security demand. One could extend our 
method to the case of weak secure function evaluation as was done for the original 
bit commitment protocol in |Lo97] . After completion of our work, Jain |Jai05] has 
also shown using a different method that QBSC^ protocols with a + 166-1-31 < n 
cannot exist. 

A drawback of weakening the security requirement is that LOCKCOM proto- 
cols are not necessarily composable. Thus, if LOCKCOM is used as a sub-protocol 
in a larger protocol, the security of the resulting scheme has to be evaluated on 
a case by case basis. However, LOCKCOM protocols are secure when executed 
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in parallel. This is a consequence of the definition of Alice's security parameter 
and the additivity of the accessible information (see Chapter [2]) , and sufficient for 
many cryptographic purposes. 

However, two important open questions remain: First, how can we construct 
efficient protocols using more than two bases? It may be tempting to conclude 
that we could simply use a larger number of mutually unbiased bases, such as 
given by the identity and Hadamard transform. Yet, as we saw in Chapter |4] 
using more mutually unbiased bases does not necessarily lead to a better locking 
effect and thus better string commitment protocols. Finally, are there any novel 
applications for this weak quantum string commitment? 

Fortunately, it turns out that we can implement protocol with very strong 
security parameters if we are willing to introduce additional assumptions. We 
now show how to obtain oblivious transfer from the assumption that qubits are 
affected by noise during storage. 
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Given the negative results from the last chapter, what can we still hope to achieve? 
Fortunately, the situation is not quite as bleak if we are taking advantage of 
the technical limitation that quantum storage is necessarily noisy. Here, the 
very problem that still prevents us from implementing a quantum computer can 
actually be turned to our advantage! As we saw in Chapter [T] the primitive of 
oblivious transfer allows us to implement essentially all cryptographic protocols 
among two mutually distrustful players, and hence we focus on this primitive. 

11.1 Introduction 

As outlined in Chapter [1} it was recently shown that secure OT is possible when 
the receiver Bob has a limited amount of quantum memory IDFSS051 [DFR+07] 
at his disposal. Within this 'bounded-quantum-storage model' OT can be imple- 
mented securely as long as a dishonest receiver Bob can store at most n/4 — 0(1) 
qubits coherently, where n is the number of qubits transmitted from Alice to Bob. 
The problem with this approach is that it assumes an explicit limit on the physical 
number of qubits (or more precisely, the rank of the adversary's quantum state). 
However, at present we do not know of any practical physical situation which en- 
forces such a limit for quantum information. On the other hand it is a fact that 
currently and in the near-future storing photonic qubits is noisy. We therefore 
propose an alternative model of noisy- quantum storage inspired by present-day 
physical implementations: We require no explicit memory bound, but we assume 
that any qubit that is placed into quantum storage undergoes a certain amount 
of noise. Here, we take the 1-2 OT protocol from |DFR+07j as our starting point, 
and analyze it in this model. This simple 1-2 OT protocol can be implemented 
using photonic qubits (using polarization or phase-encoding) with standard BB84 
quantum key distribution [BB84[ [GRTZ02j hardware, only with different classical 
post-processing. 
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Our adversary model is that of collective attacks (in analogy with collective 
eavesdropping attacks in the quantum key distribution setting). More precisely: 

• Bob may choose to (partially) measure (a subset of) his qubits immediately 
upon reception using an error-free product measurement. 

• Bob may store each incoming qubit, or post-measurement state from a prior 
partial measurement, separately and wait until he gets additional informa- 
tion from Alice (at Step 3 in Protocol 1). 

• Once he obtained the additional information he may perform an arbitrary 
coherent measurement on his stored qubits and stored classical data. 

We assume that a qubit qi undergoes some noise while in storage, where we 
denote the combined channel given by Bob's initial (partial) measurement, fol- 
lowed by the noise by super-operator S^. The source of noise can be due to the 
transfer of qubit onto a different physical carrier, such as an atomic ensemble or 
atomic state for example, or into an error-correcting code with fidelity less than 1. 
In addition, the (encoded) qubit will undergo noise once it has been transferred 
into 'storage'. Hence, the quantum operation Si in any real world setting will nec- 
essarily include some form of noise. Note that such noise is typically much larger 
than the noise experienced by honest players who only need to make immediate 
complete measurements in the BB84 basis. 

First of all, we show that for any initial measurement by Bob, and any noisy 
superoperator Si the 1-2 OT protocol is secure if the honest players can perform 
perfect noise-free quantum operations. As an explicit example, we consider de- 
polarizing noise for which reduce the set of optimal attacks to two simple ones: 
measure in the so-called Breidbart basis or let the qubits undergo depolarizing 
noise. This allows us to obtain an explicit tradeoff between the amount of noise 
in storage and the sccmity of the protocol. 

In a real implementation using photonic qubits the execution of the protocol 
by the honest players is imperfect: their quantum operations can be inaccurate 
or noisy, weak laser pulses instead of single photon sources are used and qubits 
undergo decoherence in transmission. Note, however, that unlike in QKD, we also 
want to execute such protocols over very short distances (for example in banking 
applications) such that the depolarization rate during transmission in free-space 
is very low. Our practical 1-2 OT-protocol is a small modification of the perfect 
protocol, so that we can separately deal with erasure errors (i.e. photon loss) and 
the rate of these errors does not affect the security of the protocol. We then show 
for this practical protocol how one can derive trade-offs between the amount of 
storage noise, the amount of noise for the operations performed by the honest 
players, and the security of the protocol. At the end, we discuss the issue of 
analyzing fully coherent attacks for our protocol. Indeed, there is a close relation 
between the 1-2 OT protocol and BB84 quantum key distribution. 
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Our security analysis can in principle be carried over to obtain a secure iden- 
tification scheme in the noisy-quantum-storage model analogous to jPFSSOTj . 
This scheme achieves password-based identification and is of particular practical 
relevance as it can be used for banking applications. 



Precursors of the idea of basing the security of 1-2 OT on storage-noise are already 
present in |BBCS92b] which laid the foundations for the protocol in |DFR+07j . 
but no rigorous analysis was carried through in that paper. Furthermore, it 
was pointed out in |Sch07l IDFSSOSj how the original bounded-quantum-storage 
analysis applies in the case of noise levels which are so large that the rank of a 
dishonest player's quantum storage is reduced to n/4. In contrast, we are able to 
give an explicit security tradeoff even for small amounts of noise. We furthermore 
note that our security proof is not exploiting the noise in the communication 
channel (which has been done in the classical setting to achieve cryptographic 
tasks, see e.g. |('K88l \Cre97i l(MWn4j ). but is solely based on the fact that the 
dishonest receiver's quantum storage is noisy. Another technical limitation has 
been considered in |Sal98j where a bit-commitment scheme was shown secure 
under the assumption that the dishonest committer can only measure a limited 
number of qubits coherently. Our analysis differs in that we allow any coherent 
measurement at the very end. Furthermore, the security analysis of our protocol 
is considerably simpler and more promising to be extended to cover more general 
cases. 

11.2 Preliminaries 
11.2.1 Definitions 

We start by introducing some tools, definitions and technical lemmas. To define 
the security of 1-2 OT, we need to express what it means for a dishonest quantum 
player not to gain any information. Let pxE be a state that is part classical, part 
quantum, i.e. a cq-state pxE = S^eA" ® Pe- Here, X is a classical 
random variable distributed over the finite set X according to distribution Px- 
In this Chapter, we will write the non-uniformity of X given Pe = 'Ylix^x{x)p% 
as 



Intuitively, if d{X\pE) < s the distribution of X is e-close to uniform even given 
pE, i.e., Pe gives hardly any information about X. A simple property of the non- 
uniformity which follows from its definition is that for any cq-state of the form 



11.1.1 Related work 
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PxED = PxE ® Pd, we have 

d{X\pED) = d{X\pE) . (11.1) 

We prove the security of a randomized version of OT. In such a protocol, Ahce 
does not choose her input strings herself, but instead receives two strings 5*0, 
Si e {0, 1}^ chosen uniformly at random by the protocol. Randomized OT (ROT) 
can easily be converted into OT: after the ROT protocol is completed, Alice uses 
her strings Sq, Si obtained from ROT as one-time pads to encrypt her original 
inputs 5*0 and 5*1, i.e. she sends an additional classical message consisting of 
Sq © 5*0 and 5*1 © 5*1 to Bob. Bob can retrieve the message of his choice by 
computing Sc © {Sc © Sc) = Sc- He stays completely ignorant about the other 
message Si-c since he is ignorant about Si-c- The security of a quantum protocol 
implementing ROT is defined in |DFSS05] iDFR^Ofj for a standalone setting. A 
more involved definition allowing for composability can be found in |WW07j . In 
the following, we use ps to denote the complete quantum state of Bob's lab at the 
end of the protocol including any additional classical information he may have 
received directly from Alice. Similarly, we use pcs'gS[A and ps^s{A to denote the 
c-q states corresponding to the state of Alice's lab at the end of the protocol 
including her classical information about Bob's choice bit C and outputs Sq and 
5*^ as defined below. 

11.2.1. Definition. An e-secure 1-2 ROT^ is a protocol between Ahce and Bob, 
where Bob has input C G {0, 1}, and Alice has no input. For any distribution of 
C: 

• (Correctness) If both parties are honest, Alice gets output So,Si G {0, 1}^ 
and Bob learns Y = Sc except with probability e. 

• (Receiver-security) If Bob is honest and obtains output Y, then for any 
cheating strategy of Alice resulting in her state pa, there exist random 
variables 5*0 and S[ such that Pr[y = S'(j] > 1 — e and C is e- independent 
of Sq,S[ and pA, i.e., D{pcs'g,s[A, pc ® Psi„s[a) < £■ 

• (Sender-security) If Alice is honest, then for any cheating strategy of Bob 
resulting in his state pb, there exists a random variable C G {0, 1} such 
that d{Si_c'\Sc'C'pB) < e. 

Note that cheating Bob may of course not choose a C beforehand. Intuitively, 
our requirement for security states that whatever Bob does, he will be ignorant 
about at least one of Alice's inputs. This input is determined by his cheating 
strategy. Our requirement for receiver security states that C is independent of 
Alice's output, and hence Alice learns nothing about C. 

The protocol makes use of two-universal hash functions that are used for 
privacy amplification similar as in QKD, which we already encountered in Sec- 



tion 10.2.3 For the remainder of this Chapter, we first define 
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11.2.2. Definition. For a measurement M with POVM elements {Mx}^(zx let 
Py\x ~ Tr(Myp|;) the probabihty of outputting guess y given p^. Then 

Pg{X\pE) :=supJ]Px(x)4, 

X 

is the maximal average success probability of guessing x E X given the reduced 
state p_B of the cq-state pxE- 



We will employ privacy amplification in the form of the following Lemma, which 
is an immediate consequence of Lemma 10.2.2 and Theorem 10.2.3 (Theorem 
5.5.1 in |Ren05j ): 



11.2.3. Lemma. Let J-' be a class of two-universal hash functions from {0, 1}" 
to {0, ly . Let F be a random variable that is uniformly and independently dis- 
tributed over J^, and let pxE be a cq-state. Then, 

d{F{X)\F,pE)<2"'sJP,{X\pE). 
If we have an additional k bits of classical information D about X, 

d{F{X)\F,D,pE) <2'^-'^Pg{X\pE). 

Furthermore, we will need the following lemma which states that the optimal 
strategy to guess X = x E {0, 1}" given individual quantum information about 
the bits of X is to measure each register individually. 

11.2.4. Lemma. Let pxE be a cq-state with uniformly distributed X = x G 
{0, 1}" and p% = p^_^ (g) . . . (g) p^^. Then the maximum probability of guessing 
X given state pe is Pg{X\pE) = Il^^iPg{Xi\pE^) , which can be achieved by mea- 
suring each register separately. 

Proof. For simplicity, we will assume that each bit is encoded using the same 
states po = P%i and pi = p\.. The argument for different encodings is analogous, 
but harder to read. First of all, note that we can phrase the problem of finding 
the optimal probability of distinguishing two states as a semi-definite program 
(SDP) 

maximize \ (Tr(MoPo) + Tr(Mipi)) 
subject to Mo, Ml > 
Mo + Ml = I 



with the dual program 
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minimize |Tr(Q) 
subject to Q > Po 
Q> Pi- 
Let and denote the optimal values of the primal and dual respectively. 
From the weak duality of SDPs, we have < d^,. Indeed, since Mo, Mi = 1/2 
are feasible solutions, we even have strong duality: p^: = |VB96j . 

Of course, the problem of determining the entire string x from := p% can 
also be phrased clS cl SDP: 

maximize ^ Zlx6{o,i}" Tr(il4.pa;) 
subject to Va;, > 

Sxe{o,i}" ^ ^ 

with the corresponding dual 

minimize i^Ti{Q) 
subject to Vx, Q > px- 

Let and d^ denote the optimal values of this new primal and dual respectively. 
Again, p^ = d^. 

Note that when trying to learn the entire string x, we are of course free 
to measure each register individually and thus {p*Y — P*- We now show that 
(i* < (d^:)^ by constructing a dual solution Q from the optimal solution to the 
dual of the single-register case, Q*: Take Q = Qf". Since Q^: > po and > pi 
it follows that Vx, Qf^ > p^- Thus Q is satisfies the dual constraints. Clearly, 
2~"'Tr((5) = (2~^Tr((5*))" and thus we have d^ < (ci*)" as promised. But from 
(p*)" < p*, = (i^,, and p^, = we immediately have = (p*)". □ 



The next tool we need is an uncertainty relation for noisy channels and mea- 
surements. Let (To,+ = |0)(0|, (Ti_+ = |1)(1|, o"o,x = |+)(+| and (Ti_x = |— )(— I 
denote the BB84-states corresponding to the encoding of a bit z G {0, 1} into ba- 
sis 6 G {+, x} (computational resp. Hadamard basis). Let cr+ = (cro,+ + cri,+)/2 
and (Jx = ((To,x + cri,x)/2. Consider the state S{az,b) for some super-operator S. 



Note that Pg(X\S{ah)) (see Lemma 11.2.4) denotes the maximal average success 



probability for guessing a uniformly distributed X when b = + or b = x. An 
uncertainty relation for such success probabilities can be stated as 

Pg{X\S{cr^)) ■ P,{X\S{a^)) < A(5)^ (11.2) 

where A is a function from the set of superoperators to the real numbers. For 
example, when 5 is a quantum measurement Ai mapping the state az,b onto 
purely classical information it can be argued (e.g. by using a purification argument 
and Corollary 4.15 in jSchOTj ) that A{M) = ^(1 + 2-^/2) ^^ich can be achieved 
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by a measurement in the Breidbart basis, where the Breidbart basis is given by 
{|0)s,|1)b} with 

\0)b = cos(7r/8)|0) + sin(7r/8)|l) 
\1)b = sin(7r/8)|0) -cos(7r/8)|l) 

It is clear that for a unitary superoperator U we have A(t/)^ = 1 which can be 
achieved. It is not hard to show that 

11.2.5. Lemma. The only superoperators S: Tim 'Hout with dim(?-^j„) = 2 for 
which Pg(X|iS((7+)) ■ Pg{X\S{a-^)) = 1 are reversible operations. 

Proof. Using Helstrom's formula |Hel67] we have that Pg{Z\S{ab)) = |[1 + 
||'5(cro,;,) — 5(cri,fe)||^ /2] and thus for A{S) = 1 we need that for both 6 G {x, +}, 
||'5(cro,6) — 5(cri,b)||i/2 = 1. This implies that S{ao^b) and S{ai^b) are states which 
have support on orthogonal sub-spaces for both b. Let 5(cro,+) = J2kPk\'^k){'^k\ 
and iS(cri^+) = J2k1k\'^k){'^k\ where for all k,l (ip^l'^i) — 0- Consider the pu- 
rification of 5(crj,b) using an ancillary system i.e. \(l>i,b) = Us\i)b\0)- We can 
write 100,+) = T.k VPk\'^k,k) and = Efcv^lV'fc,^)- Hence Us\0)x\0) = 

;^(|0o,+) + 101,+)) and similar for Us\l)x\0). So we can write 

||5Kx)-5Kx)||,= 

For this quantity to be equal to 2 we observe that it is necessary that Pk = Ik- 
Thus we set Pk = Ik- We observe that if any of the states 1-0^) (or -0^) are non- 
orthogonal, i.e. \{ipk\i^i)\ > 0, then we have \\Y.kPki\i'k){i'i\ + li'i) {i'k\)\\i < 2. 

Let Sk be the two-dimensional subspace spanned by the orthogonal vectors 
\ipk) and \ipk)- Hy the arguments above, the spaces 5*^ are mutually orthogonal. 
We can reverse the super-operator S by first projecting the output into one of 
the orthogonal subspaces Sk and then applying a unitary operator Uk that maps 
lipk) and \ip^) onto the states |0) and |1). □ 

Finally, we need the following little technical lemma: 

11.2.6. Lemma. For any ^ < Pi < 1 with YYi=iPi — P"? ''^^ have 

1 " 

i=l 

Proof. With A := log(4/3), it is easy to verify that p^^ + p]'^ < 2 for 
1/2 < Pi < 1 and therefore, 

^ fid ^p-)-l rip? (ft ^ + pn < I ■ p'" ■ 2"- 

1=1 i=l 

□ 
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11.3 Protocol and analysis 
11.3.1 Protocol 

We use G_R to denote the uniform choice of an element from a set. We further use 
x\r to denote the string x = Xi, . . . restricted to the bits indexed by the set 
T C {1, . . . For convenience, we take {+, x} instead of {0, 1} as domain of 
Bob's choice bit C and denote by C the bit different from C. 

Protocol 2: 1-2 ROT^fC. T) fDFR+07| 

1: Alice picks X Er {0, l}'^ and 9 Er {+, x}". Let 1^ = {i \ Qi = b} for 
b G {+, x}. At time t = 0, she sends o"Xi,0i . . . ® cTx„,e„ to Bob. 

2: Bob measures all qubits in the basis corresponding to his choice bit C G 
{+, x}. This yields outcome X' G {0, 1}". 

3: Alice picks two hash functions F+, Fx Er T , where is a class of two- 
universal hash functions. At time t = T, she sends T+,Xx, F+,Fx to Bob. 
Ahce outputs S+ = F+(X|j^) and Sy, = Fx(X|jJ Q 

4: Bob outputs Sc = FciX[jJ. 

°If X|Xj is less than n bits long Alice pads the string X^j^ with O's to get an n bit-string 
in order to apply the hash function to n bits. 



11.3.2 Analysis 



We now show that this protocol is secure according to Definition |11.2.1 

(i) Correctness: It is clear that the protocol is correct. Bob can determine the 
string X|Xp (except with negligible probability 2~" the set Ic is non-empty) and 
hence obtains Sc- 

(ii) Security against dishonest Alice: this holds in the same way as shown 
in |DFR"'"07] . As the protocol is non- interactive, Alice never receives any infor- 
mation from Bob at all, and Alice's input strings can be extracted by letting her 
interact with an unbounded receiver. 

(iii) Security against dishonest Bob: Our goal is to show that there exists 
a C" G {-|-, x} such that Bob is completely ignorant about S-^. In our adver- 
sary model, Bob's collective storage cheating strategy can be described by some 
superoperator 

n 
i=l 

that is applied on the qubits between the time they arrive at Bob's and the 
time T that Alice sends the classical information. We define the choice bit C 
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as a fixed function of Bob's cheating strategy S. Formally, we set C 
lltiP9iXi\Si{a+)) > UtiPgWSiia,,)) and C = x otherwise. 



that 



+ if 

Due to the uncertainty relation for each Si (from Eq. ( 11. 2[ )) it then holds 



where Amax := niaxj A(5j). This will be used in the proof below. 
In the remainder of this section, we show that the non-uniformity 

Ssec '■= d{S-(y\Sc>C' Pb) 

is negligible in n for a collective attack. Here is the complete quantum 
state of Bob's lab at the end of the protocol including the classical information 
X_|_,Xx5-^+5-^x he got from Ahce and his quantum information (S)r=i '^^('^^i.eJ- 
Expressing the non-uniformity in terms of the trace-distance allows us to observe 
that ^sec = 2~" X]6ie{+ x}" '^('^c^l® ~ Sc'C ps)- Now, for fixed 9 = 6*, it is 
clear from the construction that Sc",C',Fc' and ^i^j^, Si{aXi,c') are indepen- 
dent of S-^ = F^(X|x_) and we can use Eq. (11.1). Hence, one can bound the 



non-uniformity as in Lemma 11.2.3 , i.e. by the square-root of the probability of 
correctly guessing X\j._ given the state (S^iex— '^«('^x,,c^)- Lemma 



11.2.4 



tells us 



'C' " "~ c , 

that to guess X, Bob can measure each remaining qubit individually and hence 
we obtain 



4ec < 2f-^ ■ 2-" J] / n ^9(^.l'5.(a^)) 



< 25" 



where we used the concavity of the square-root function in the last inequality. 



Lemma 11.2.6 together with the bound Hi P9{^i\^i{'^c')) — i^max)^ lets us con- 
clude that 



4ec < 25-^ ■ (A, 



l°g(4/3) . 



Lemma 11.2.5 shows that for essentially any noisy superoperator A(iS) < 1. This 
shows that for any collective attacks there exists an n which yields arbitrarily 
high security. 



11.4 Practical oblivious transfer 



In this section, we prove the security of a ROT protocol that is robust against noise 
for the honest parties. Our protocol is thereby a small modification of the protocol 
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considered in |Sch07j . Note that for our analysis, we have to assume a worst-case 
scenario where a dishonest receiver Bob has access to a perfect noise-free quantum 
channel and only experiences noise during storage. First, we consider erasure 
noise (in practice corresponding to photon loss) during preparation, transmission 
and measurement of the qubits by the honest parties. Let 1 — Perase be the total 
constant probability for an honest Bob to measure and detect a photon in the 
{+, x} basis given that an honest Alice prepares a qubit (or weak laser pulse) in 
her lab and sends it to him. The probability Perase is determined among others by 
the mean photon number in the pulse, the loss on the channel and the quantum 
efficiency of the detector. In our protocol we assume that the (honest) erasure 
rate Perase IS independent of whether qubits were encoded or measured in the 
+- or X -basis. This assumption is necessary to guarantee the correctness and 
the security against a cheating Alice only. Fortunately, this assumption is well 
matched with physical capabilities. 



Any other noise source during preparation, transmission and measurement 
can be characterized as an effective classical noisy channel resulting in the output 



bits X' that Bob obtains at Step of Protocol 11.4 For simplicity, we model this 



compound noise source as a classical binary symmetric channel acting indepen- 
dently on each bit of X. Typical noise sources for polarization-encoded qubits are 
depolarization during transmission, dark counts in Bob's detector and misaligned 
polarizing beam-splitters. Let the effective bit-error probability of this binary 
symmetric channel be Perror < 1/2. 



Before engaging in the actual protocol, Alice and Bob agree on the system 
parameters Perase and Permr similarly to Step 1 of the protocol in |BBCS92b] . 
Furthermore, they agree on a family {C^} of linear error correcting codes of 
length n capable of efficiently correcting n-permr errors. For any string x G {0, 1}", 
error correction is done by sending the syndrome information syn{x) to Bob from 
which he can correctly recover x if he holds an output x' G {0, 1}" obtained by 
flipping each bit of x independently with probability Perror- It is known that for 
large enough n, the code C„ can be chosen such that its rate is arbitrarily close 
to 1 — /i(perror) and the syndrome length (the number of parity check bits) are 
asymptotically bounded by \syn{x)\ < h{perror)n |Cre97] . where /i(perror) is the 
binary Shannon entropy. We assume the players have synchronized clocks. In 
each time slot, Alice sends one qubit (laser pulse) to Bob. 
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Protocol 3: Noise-Protected Photonic 1-2 ROT*(C,T) 
1: Alice picks X {0, 1}" and 6 Er {+, x}". 

2: For i = 1, . . . ,n: In time slot t = i, Alice sends cr^.^e- as a phase- or 
polarization-encoded weak pulse of light to Bob. 

3: In each time slot, Bob measures the incoming qubit in the basis corre- 
sponding to his choice bit C G {+, x} and records whether he detects a 
photon or not. He obtains some bit-string X' G {0, 1}*" with m < n. 

4: Bob reports back to Alice in which time slots he received a qubit. Alice 
restricts herself to the set of m < n bits that Bob did not report as 
missing. Let this set of qubits be ^remain with l^remainl = rn. 

5: Let Xf, = {i G ^remain | ©i = b} for b G {+, x} and let = |Xfe|. Alice 
aborts the protocol if either m+ or < (1 — perase)^/2 — 0(-\/n). If this 
is not the case, Alice picks two hash functions F+,Fx G/?, J-", where JF 
is a set of two-universal hash functions. At time t = n + T, Alice sends 
I+,Ty^, F+,Fx, and the syndromes syn{X\j^) and syn{X\x^) according 
to codes of appropriate length mf, to Bob. Alice outputs S+ = F+(X|x^) 
and =Fx(X|xJ. 

6: Bob uses syn{X\j^) to correct the errors on his output X'^j^. He obtains 
the corrected bit-string Xcor and outputs Sq = Fc{Xcor)- 

Let us consider the security and correctness of this modified protocol. 

(i) Correctness: By assumption, Perase is independent of the basis in which Alice 
sent the qubits. Thus, 5'remam is with high probability a random subset of the 
transmitted qubits of of size m ^ {1 — Poraso)^ ± ^(v^) qubits independent of 
the value of bases G. This implies that in Step [5] the protocol is aborted with a 
probability exponentially small in m, and hence in n. The codes are chosen such 
that Bob can decode except with negligible probability. These facts imply that if 
both parties are honest the protocol is correct (i.e. Sc = S'q) with exponentially 
small probability of error. 

(ii) Security against dishonest Alice: Even though in this scenario Bob does com- 
municate to Alice, the information stating which qubits were erased is by assump- 
tion independent of the basis in which he measured and thus of his choice bit C. 
Hence Alice does not learn anything about his choice bit C. Her input strings 
can be extracted as in Protocol 1. 

(iii) Security against dishonest Bob: Our analysis is essentially identical to our 
analysis for Protocol 1 where we address the error-correcting properties as in |Sch07j 
First of all, we note that Bob can always make Alice abort the protocol by report- 
ing back an insufficient number of received qubits. If this is not the case, then we 
define C as in the analysis of Protocol 1 and we need to bound the non-uniformity 
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5sec as before. Let us for simplicity assume that = m/2 (this is true with high 
probabihty, up to a factor of 0{^/n) which becomes neghgible for large n) with 
m ~ (1 — Perase)n. We perform the same analysis, where we restrict ourselves to 
the set of remaining qubits. We first follow through the same steps simplifying 
the non- uniformity using that the total attack superoperator 5 is a product of 



superoperators. Then we use the bound in Lemma 11.2.3 for each 9 G {+, x}" 
where we now have to condition on the additional information s?/n(X|x_) which 
is m/i(perror)/2 bits loug. Note that Bob does not gain any information when 
Alice aborts the protocol, since her decision to abort is a function of the bits Bob 
reported as being erased and he can thus compute Alice's decision himself. Using 



the second part of Lemma |11.2.3| and following identical steps in the remainder 
of the proof implies 

4ec<2i-^+'^(^-)f(A_)^-. (11.4) 

From this expression it is clear that the security depends crucially on the value 
of Amax versus the binary entropy /i(perror)- The trade-off in our bound is not 
extremely favorable for security as we will see. 



11.5 Example: depolarizing noise 

Let us now consider the security in an explicit example, where Bob's storage is 
affected by depolarizing noise, and he is not able to encode the incoming qubits 
into a higher-dimensional system such as an error correcting code. 

Again, we first address the simpler setting where the honest players experience 
no noise themselves. In order to explicitly bound A(iSj) we should allow for 
intermediate strategies of Bob in which he partially measures the incoming qubits 
leaving some quantum information undergoing depolarizing noise. To model this 
noise we let Si = Af o Vi, where Vi is any noiseless quantum operation of Bob's 
choosing from one qubit to one qubit that generates some classical output. For 
example, Vi could be a partial measurement providing Bob with some classical 
information and a slightly disturbed quantum state, or just a unitary operation. 
Let 

ATip) :=rp + (l-r)- 
be the fixed depolarizing 'quantum storage' channel that Bob cannot influence 



(see Figure 11.1 ). 



To determine 6sec, we have to find an uncertainty relation similar to Eq. (11.2) 
by optimizing over all possible partial measurements Vi, 

ALx = max A(5,)2 = maxP,(X|5,(a+)) • P,{X\Siia,)). (11.5) 
We solve this problem for depolarizing noise using the symmetries inherent in our 



problem. In Section 11.5.1 we prove the following 
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Figure 11.1: Bob performs a partial measurement Vi, followed by noise M, and outputs 
a guess bit Xg depending on his classical measurement outcome, the remaining quantum 
state, and the additional basis information. 



11.5.1. Theorem. Let M he the depolarizing channel and let max^^ A(iSj) he 
defined as ahove. Then 

{l±L forr> — 

Our result shows that for r < l/\/2 a direct measurement M. in the Breidbart 
basis is the best attack Bob can perform. For this measurement, we have A(A^) = 
1/2 + 1/ {2\/2). If the depolarizing noise is low (r > l/v/2), then our result states 
that the best strategy for Bob is to simply store the qubit as is. 

11.5.1 Optimal cheating strategy 



We now prove Theorem |11.5.1 in a series of steps. Recall, that to determine the 



security bound, we have to find an uncertainty relation similar to Eq. (11.2) by 



optimizing over all possible partial measurements V and final measurements M. 



as in Eq. 11.5 To improve readability, we will drop the index i and use S in place 
of Si to denote the cheating operation acting on a single qubit. For our analysis, it 
will be convenient to think of P as a partial measurement of the incoming qubit. 
Note that this corresponds to letting Bob perform an arbitrary CPTP map from 
the space of the incoming qubit to the space carrying the stored qubit. It will 
furthermore be convenient to consider the maximizing the sum instead: 

T{S) = maxP,(X|5(a+)) + Pg{X\S{a^)). 

This immediately gives us the bound A(iS) < r(iS)/2. In the following, we will 
use the shorthand 

p+ := Pg{X\S{a^)) 
Px := Pg{X\S{a^)) 
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for the probabilities that Bob correctly decodes the bit after Alice has announced 
the basis information. 

Any measurement Bob may perform can be characterized by a set of measure- 
ment operators {-Ffc} such that Ylik^l^k = I- The probability that Bob succeeds 
in decoding the bit after the announcement of the basis is simply the average over 
the probability that he correctly decodes the bit, conditioned on the fact that he 
obtained outcome k. I.e., for h G {+, x} 



Pb = J^Pi'lb [\ + \ \\Po\kbN{alf,) - pi\kbN{alf^)\\j 
k ^ 

\ + \ ^Pk\b\\r{pQ\kb^Q^b-Pi\kb0^i,b) + (1 - ^)(Po|fcb -Pi|fcb)I/2||i, 



2 4 

k 



where 



is the probability of obtaining measurement outcome k conditioned on the fact 
that the basis was h (and we even see from the above that it is actually indepen- 
dent of 6), a"o = Fk(jQfiFl/pk\Qb is the post-measurement state for outcome /c, and 
PQ\kh is the probability that we are given this state. Definitions are analogous for 
the bit 1. 

We now show that Bob's optimal strategy is to measure in the Breidbart basis 
for r < 1/ -\/2, and to simply store the qubit for r > 1 / \/2. This then immediately 
allows us to evaluate Amax- To prove our result, we proceed in three steps: First, 
we will simplify our problem considerably until we are left with a single Hermitian 
measurement operator over which we need to maximize. Second, we show that 
the optimal measurement operator is diagonal in the Breidbart basis. And finally, 
we show that depending on the amount of noise, this measurement operator is 
either proportional to the identity, or proportional to a rank one projector. Our 
individual claims are indeed very intuitive. 

For any measurement M = {Fk}, let B{M) = p^ + p*^ for the measurement 



M, where p^ and p*^ are the success probabilities similar to Eq. (11.6), but 
restricted to using the measurement M. First of all, note that we can easily 
combine two measurements. Intuitively, the following statement says that if we 
choose one measurement with probability a, and the other with probability /3 
our average success probability will be the average of the success probabilities 
obtained via the individual measurements: 

4. Claim. Let Mi = {F^} andM2 = {F^} be two measurements. Then B{aMi + 
(3M2) = aB{Mi) + (3B{M2), where where aMi + /3M2 = {^F^} U {^f^F^} for 
a, /3 > and a + (3 = 1. 

Proof. Let F = {Fk}l^i and G = {Gk}l^i be measurements, < a < 1 and 
M := {-\/tt-^fc}fc=i U {Vl — «Gfc}{=/+i be the measurement F with probability 
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a and measurement G with probabihty 1 — a. We denote by p^,p'^,p^ the 
probabihties corresponding to measurements F, G, M respectively. Observe that 
for 1 < A; < /, p^^ = ^Tr{aFkFl) = ap^^ and analogously for f + 1 < k < f + g, 
we have p^f^ = (1 — Q;)p^^. We observe furthermore that for 1 < A; < / and 

X e {0, 1}, a cancels out by the normahzation, a^f = "'^"m"-'"^"^ = = a^'^ 

and similarly for/ + l < k < f + g. Finally, we can convince ourselves that 
Paf\kb ~ Px\kb ~ Px\{k-f)by ^ probability to be given state a^ f^ is the same when 
the measurement outcome and the basis is fixed. Putting everything together, 
we obtain 



Pb = i^Pk\b [ 2 + iWPmb^^'^o^b ) -Pi\kbN{cT{^b )||i 

k=l ^ 
^ /II 

= J2^Pk\b ( 2 + l\\Po\kbN{&of) -pf\kbN{^i,b)\U 

k=l ^ 



4' 

2 4' 

apf + (1 - ■ 

□ 



We can now make a series of observations. 



5. Claim. Let M = 
B{M) = B{gMg^). 



{Ffc} and G = {l,X, Z,XZ}. Then for all g E G we have 



Proof. This claim follows immediately from that fact that for the trace norm 
we have 1 1 f/ Af/''" 1 1 1 = for all unitaries U, and by noting that for all g E G, 

g can at most exchange the roles of and 1. I.e., we perform a bit flip before 
the measurement which we can correct for afterwards by applying classical post- 
processing: we have for all e G that 



Pk\b 



Po\kbN 



= Pk'\b 



Po\kbN 



Fk gcro,bg^F l 

Pk\Ob 

FkCro,bFl 



Pit 1 06 



Pi\kbN 



Fkgai^Fl 
Pk\ib 

FkO\bFl 
Pk\ib 



□ 



It also follows that 
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11.5.2. Corollary. For all k we have for all b G {+, x} and g e G that 



Po\kbN 



Fk(Jo,bFf 

Pk\Ob 



t 



Pi\kbN 



FkO'ihFi 



Po\kbN 



Fkgo\bflFl 

Pk\Ob 



Pk\lb 
Pi\kbN 



Fkgaifig^Fl 
Pk\lb 



Proof. This follows from the proof of Claim [5j 



□ 



6. Claim. Let G = {I,X, Z,XZ}. There exists a measurement operator F such 
that the maximum of B{M) over all measurements M is achieved by a measure- 
ment proportional to {gFg'^ \ g G G}. 

Proof. Let M = {F^} be a measurement. Let K = \M\ be the number of 
measurement operators. Clearly, M = {Fg^k} with 

Fg,k = ^9Fkg\ 

is also a quantum measurement since k^l kFg,k = I- It follows from Claims 4 



--gFkg^. 



and |5j that B{M) = B{M). Define operators 

1 



Note that 



1 



2Tt{FIF, 



sec J2TT{FlFk)u,v&{o,i} 



J2 X^'Z^'FlEkZ^'X^ 



I. 



(see for example Hayashi |Hay06| ). Hence = {Ng^k} is a valid quantum 
measurement. Now, note that M can be obtained from Mi, . . . , Mk by averaging. 
Hence, by Claim |4] we have 

B{M) = B{M) < max B{Mk). 

k 

Let M* be the optimal measurement. Clearly, m = B{M*) < max^ -B(M^) < m 
by the above and Corollary |11.5.2| from which our claim follows. □ 



Note that Claim [6] also gives us that we have at most 4 measurement operators. 
Wlog, we will take the measurement outcomes to be labeled 1, 2, 3, 4. 

Finally, we note that we can restrict ourselves to optimizing over positive- 
semidefinite (and hence Hermitian) matrices only. 
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7. Claim. Let F be a measurement operator, and let 

g{F) := I + '^Pk\b\\po\bN{ao^b) - Pi\bN{a~i^b)\\^ 

b,k 

with cro,b = Fcro,fe-F"'"/Tr(Fcro,b-F"'") and ai^f, = Fai^bFyTr^Fcri^bF'') . Then there 
exists a Hermitian operator F , such that g{F) = g{F). 

Proof. Let = FU be the polar decomposition of F^, where F is positive 
semidefinite and U is unitary |HJ85t Corollary 7.3.3]. Evidently, since the trace is 
cyclic, all probabilities remain the same. It follows immediately from the defini- 
tion of the trace norm that | |i = | |A| |i for all unitaries U, which completes 
our proof. □ 



To summarize, our optimization problem can now be simplified to 
maxB(M) = maxpf + < 

M M ^ 

maxl + ^Pk\b\\po\bN{ao^b) - Pi\bN{ai^b)\\. 

b,k 



r(F(ff„,i - CTn)F) + (1 - r)Tl'(F(ff„,i - ffl.i)F)^ 



where the maximization is now taken over a single operator F, and we have 
used the fact that we can write po\kb = Pk\ob/i'2pk\b) and we have 4 measurement 
operators. 



F is diagonal in the Breidbart basis 

Now that we have simplified our problem already considerably, we are ready to 
perform the actual optimization. Since we are in dimension d = 2 and F is 
Hermitian, we may express F as 

F = a|0)(0|+/?|0^)(0^|, 

for some state and real numbers a, (3. We first of all note that from F^^l = 
I, we obtain that 

Tr(^F,Fn =5^Tr(F,F,) = 

\ fc / k 

J2 MgFgg^Fg^) = 4Tr(FF) = Tr(I) = 2, 

g&{l,X,Z,XZ} 

and hence Tr(FF) = q;^ + /3^ = 1/2. Furthermore using that \4>){4>\ + \4>'^){(j)'^\ =1 
we then have 

F = /5I+(a-/3)|0)(0|, (11.6) 
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with (3 = ^/l — d^. Our first goal is now to show that |0) is a Breidbart vector 
(or the bit-flipped version thereof). To this end, we first formalize our intuition 
that we may take |0) to lie in the XZ plane of the Bloch sphere only. Since we 
are only interested in the trace-distance term of B{M), we restrict ourselves to 
considering 



r{F{ao,b - (yi,b)F) + (1 - r)Tr(F(ao,5 - 



8. Claim. Let F he the operator that maximizes C {F) , and write F as in Eq. (11. 6). 
Then lies in the XZ plane of the Bloch sphere, (i.e. Tr(FF) = 0). 

Proof. We first parametrize the state in terms of its Bloch vector: 

I + xX + yY + zZ 
= ^ • 



Since |0) is pure we can write y = \J\ — x'^ — z"^. Hence, we can express F as 
F = ^ ((a + + (a - fi)[xX + + zZ)) . 

Noting that cro,+ — 0\^j^ = Z and ctq^x — cti.x = X we can compute for the 
computational basis 

P := r{FZF) + (1 - r)Tr(FZF)- 

2 



^ (^(^2a^ - 2l + r {{a - pfxzX + (a - PfyzY + ((« - Pfz^ + 2a(3) Z)) 



and for the Hadamard basis: 

T := r(FXF) + (1 -r)Tr(FXF)^ 

= \{^ (^2«' - xl + r ( ((a - /5) V + 2al3) X) 
+ (a - (3fxyY + (« - (3fxzZ) 

Note that ||P||i = Ylj l^i(-P)l) where \j is the j-th eigenvalue of P. A lengthy 
computation (using Mathematica) , and plugging in /? = ^Jl/2 — and y = 
yjl — x'^ — z"^ shows that we have 



Ai(P) = ^ {{Aa^ -l)z- r^z'^ + %a\2d^ - \){z'^ - 1 
A2(P) = ^ (^(4a2 - 1) 2 + rV;z2 + 8a2(2a2 _ i)(^2 _ j 
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Similarly, we obtain for the Hadamard basis that 

Ai(T) = ^ (^(4q;2 -l)x- rVx2 + 8q;2(2q;2 - l)(x2 - 1)) 
A2(T) = ^ (I (4^2 _ 1) ^ + ^^^2 + 8a2(2a2 _ i)(a;2 _ i)^ 

We define 



f{a,x) := 




g{a,x) := ^y^x^ + 8a^{2a'^ - l){x^ - 1). 
h{a,x,r) := |/(q;, x) + r^(Q;, x)| + |/(q;, x) - r^(Q;, x)| 

Note that our optimization problem now takes the form 

maximize h{a,x,r) + h{a, z,r) 
subject to x"^ + z"^ < 1 

0<x<l 

0<z<l, 

where we can introduce the last two inequality constraints without loss of gener- 
ality, since the remaining three measurement operators will be given by XFX, 
ZFZ, and XZFZX. 

To show that we can let y = for the optimal solution, we have to show that 
for all a and all r, the function h{a,x,r) is increasing on the interval < x < 1 
(and indeed Mathematica will convince you in an instant that this is the case). 
Our analysis is is further comphcated by the absolute values. We therefore first 
consider 

h{a,x,rf = 2{f{a,xf + r'^g{a,xf + \ J{a,xf -r'^g{a,x)\ 

where we have used the fact that / and g are real valued functions. In principle, 
we can now analyze h+{a, x, r)^ = 2{f{a, x)"^ + r'^g{a, xY + f{a, xY — r^g{a, xY 
and h- {a, x, r)^ = 2(/(a, x)^ + r^g{a, x)"^ — f{o:, xY + r^g{a, xY separately on 
their respective domains. By rewriting, we obtain 

h+{a, X, rY = ^r^(x^ + 8q;^(2q;^ - - 1)), 

and ^ 

h-{a,x,rY — 4: — x^. 

Luckily, the first derivatives of h+ and h- turns out to be positive everywhere 
for our choice of parameters < a < l/-\/2, and < r, 2; < 1. Hence, by further 



182 



Chapter 11. Possibilities: Exploiting storage errors 



inspection at the transitional points we can conclude that h is an increasing 
function of x. But this means that to maximize our target expression, we must 
choose X and z as large as possible. Hence, choosing y = is the best choice and 
our claim follows. □ 

We can now immediately extend this analysis to find 



9. Claim. Let F he the operator that maximizes C{F), and write F as in Eq.(11.6) 
Then 

|0) = (7(cos(7r/8)|O) + sin(7r/8)|l)), 
for some g G {I, X, Z, XZ} . 

Proof. Extending our analysis from the previous proof, we can compute the 
second derivative of both functions. It turns out that also the second deriva- 
tives are positive, and hence h is convex in x. By Claim |8| we can rewrite our 
optimization problem as 

maximize h{a,x,r) + h{a, z,r) 
subject to x^ + z"^ = 1 

0<x <1 

<z <1 

It now follows from the fact that h is convex in x and the constraint x'^ + z"^ = 1 
(by computing the Lagrangian of the above optimization problem), that for the 
optimal solution we must have x = z, and our claim follows. □ 



Optimality of the trivial strategies 

Now that we have shown that F is in fact diagonal in the Breidbart basis (or the 
bit flipped version thereof) we have only a single parameter left in our optimiza- 
tion problem. We must now optimize over all operators F of the form 

F = a|0)(0| + v/l72^|0^)(0^|, 

where we may take 10) to be |0)b or |1)b. Our aim is now to show that either F 
is the identity, or F = \(p){(f)\ depending on the value of r. 

10. Claim. Let F be the operator that maximizes C{F). Then F = d (for some 
ceR)forr> 1/a/2, and F = for r < l/\/2, where 

|0) = (7(cos(7r/8)|O) + sin(7r/8)|l)), 

for some g G {I, X, Z, XZ} . 
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Proof. We can now plug in x = z = l/\/2 in the expressions for the eigen- 
values in our previous proof. Ignoring the constant positive factors which do not 
contribute to our argument, we can then write 

Ai(P) = {Aa^ - 1) - rVl - I6a^ + Sa^, 
A2(P) = (4^2 - 1) + rVl - 16^4 + 8a2. 



And similarly for the Hadamard basis. We again define functions 

f{a) := {Aa'-l) 
g{a) := Vl - IGa^ + 8^2 
h{a,r) := \f{a,x) + rg{a,x)\ + \f{a,x) - rg{a,x)\ 

Note that our optimization problem now takes the form 

maximize 2h{a,r) 
subject to < a < ^ 

Since we are maximizing, we might as well consider the square of our target 
function and ignore the leading constant as it is irrelevant for our argument. 

h{a, rf = 2{f{af + r^g{af + \f{af - r^g{a)\ 

To deal with the absolute value, we now perform a case analysis similar to the 
one above. Computing the zeros crossings of the function /(a)^ — r'^g{a)'^, we 
analyze each interval separately. Computing the first and second derivatives on 
the intervals we find that h{a, r)^ has exactly two peaks: The first at a = 0, and 
the second at a = 1/2. We have that h{0,r)'^ = 2 for all r, and /i(l/2,r)^ = 4r^. 
Hence, we immediately see that the maximum is located at a = for r < 1/v^, 
and at a = 1/2 for r > l/\/2. □ 



Theorem 11.5.1 now follows directly from Claim 10 
the Breidbart basis, or stores the qubit as is 



Bob either measures in 



We believe that a similar analysis 
can be done for the dephasing channel, by first symmetrizing the noise by applying 
a rotation over 7r/4 to our input states. 



11.5.2 Noise tradeoff 

We now consider the more practical setting, where the honest parties also experi- 
ence noise. Clearly, there is a strict tradeoff between the noise Perror on the channel 
experienced by the honest parties, and the noise experienced by dishonest Bob. 
Our practical security bound is fairly weak. In the near-future we may anticipate 
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that storage is better than direct measurement if good photonic memories be- 
come available. However, we are free in our protocol to stretch the waiting time 
T between Bob's reception of the qubits and his reception of the classical basis 
information, say, to seconds, which means that one has to consider the overall 
noise rate on a qubit that is stored for seconds. 

We again consider the case of depolarizing noise during storage. For r < 1/ \/2 
(when it is better for Bob to measure in the Breidbart basis), we obtain that our 
protocol is secure as long as 

/l(Perror) < 2 log Q + log(3/4). 

Hence, we require that Perror ~ 0.029. This puts a strong restriction on the noise 
rate of the honest protocol. Yet, since our protocols are particularly interesting at 
short distances (e.g. in the case of secure identification), we can imagine very short 
free-space implementations such that depolarization noise during transmission 
is negligible and the main depolarization noise source is due to Bob's honest 
measurements. 

For r > l/-\/2 (when it's better for Bob to store the qubit as is) we also obtain 
a tradeoff involving r. As an example, suppose that the qubits in the honest proto- 
col are also subjected to depolarizing noise at rate 1 — r^ honest- The effective clas- 
sical error rate for a depolarizing channel is then simply Porror = (1 ~ '^d,honest)/2. 
Thus we can consider when the function /i(perror)/4 -|- log(^) log(4/3)/2 goes 
below 0. If we assume that rd,honest = clt, for some scaling factor 1 < a < 1/r 
(i.e., the honest party never has more noise than the dishonest party), we obtain 



a clear tradeoff between a and r depicted in Figure 11.2 



11.6. Conclusion 
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11.6 Conclusion 

We have introduced the model of noisy-quantum storage. In this model, we have 
determined security bounds for a perfect ROT protocol given collective storage 
attacks by Bob. Furthermore, we showed how to construct a practical ROT where 
we do allow the honest parties to experience noise during transmissions and their 
operations as well. We provided an explicit security tradeoff between the noise 
affecting the honest parties, and the noise during storage for a dishonest Bob. 

Ideally, we would like to show security against general coherent noisy attacks. 
The problem with analyzing a coherent attack of Bob described by some super- 
operator S affecting all his incoming qubits is not merely a technical one: one 
first needs to determine a realistic noise model in this setting. It may be possible 
using variations of de Finetti theorems as in the proof of QKD |Ren05] to prove 
for a symmetrized version of our protocol that any coherent attack by Bob is 
equivalent to a collective attack. Yet, the present scenario differs in that it is not 
as straightforward to achieve a symmetrization of the protocol. However, one can 
in fact analyze a specific type of coherent noise, one that essentially corresponds 
to an eavesdropping attack in QKD. Note that the 1-2 OT protocol can be seen 
as two runs of QKD interleaved with each other. The strings f{x\x+) and f{x\Xy^) 
are then the two keys generated. The noise must be such that it leaves Bob with 
exactly the same information as the eavesdropper Eve in QKD. In this case, it 
follows from the security of QKD that the dishonest Bob (learning exactly the 
same information as the eavesdropper Eve) does not learn anything about the 
two keys. 

In terms of long-term security, fault-tolerant photonic computation (e.g., with 
the KLM scheme |KLM01j ) might allow a dishonest Bob to encode the incoming 
quantum information into a fault-tolerant quantum memory. This implies that 
in storage, the effective noise rate can be made arbitrarily small. However, the 
encoding of a single unknown state is not a fault-tolerant quantum operation: 
already the encoding process introduces errors whose rates cannot be made ar- 
bitrarily small with increasing effort. Hence, even in the presence of a quantum 
computer, there is a residual storage noise rate due to the unprotected encoding 
operations. The question of security then becomes a question of a trade-off be- 
tween this residual noise rate versus the intrinsic noise rate. Finally, it remains to 
address composability of the protocol within our model, which has already been 
considered for the bounded-quantum-storage model |WW07j . 



Appendix A 



Linear algebra and semidefinite 
programming 



Semidefinite programming is a useful tool to solve optimization problems. Since 
we employed semidefinite programming in Chapters [3| [7| and 11, we briefly state 
the most important notions. We refer to |BV04j for an in-depth introduction. 



A.l Linear algebra prerequisites 

Before turning to semidefinite programming in the next section, we first briefly 
recall some elementary definitions from linear algebra. We thereby assume the 
reader is familiar with basic concepts, such as matrix multiplication and addition. 
Unless explicitly indicated, all vector spaces V considered here are over the field 
of complex numbers. We use = to denote a rf-dimensional complex vector 
space, and C^^*^ to denote the space of complex d x d matrices. A set of vectors 
\vi), . . . , \vd) E V is linearly independent if Yl'i=i C'il'^i) = implies that ai = . . . = 
ttd = 0. A basis of a (i-dimensional vector space V is a. set of linearly independent 
vectors \vi) , . . . ,\vd) G V, the basis vectors, such that any vector \u) E V can be 
written as a linear combination of basis vectors. If there exists a vector \v) E V 
with 1^;) 7^ such that A\v) = X\v), we say that \v) is an eigenvector of A and 
the scalar A the corresponding eigenvalue. 

The inner product of two vectors \u),\v) G V with \u) = {ui,...,Ud) and 
\v) = (t>i, . . . , Vd) is given by {u\v) = u*Vi. The 2-norm of a vector is given by 
1 11"^) 1 1 = a/ {v\v). Unless otherwise indicated, all norms of a vector are 2-norms in 
this text. We also use lllf)!!^ to denote emphasize that the norm is defined on a 
vector space V . Two vectors |-u), 1^;) G V such that {u\v) = are orthogonal. If, 
in addition, = 111^)11 = 1 then they are also called orthonormal. 

A Hilbert space is defined as a vector space V with an inner product, where 
the vector space is complete. We refer to |Con90] for a formal definition of the 
notion of completeness and merely note that informally a vector space is complete 
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if for any sequence of vectors in said space approaching a limit, the hmit is also 
an element of the vector space. A hounded operator is an operator A : V ^ V 
such that there exists a c e M satisfying < c|||t')||y for all v eV. The 

smallest such c is also called the operator norm of A. 

The transpose of a matrix A is written as A^ and given by Ajj = Aji, where 
Aij denotes the entry of the matrix A at column i and row j. Similarly, the 
conjugate transpose of A is of the form Ajj = A*^. We use I to denote the 
identity matrix defined as I = [lij] with I^^ = Sij. A matrix U is called unitary 
if UU^ — U^U — I. Furthermore, M is called Hermitian if and only if M = M^. 
Any Hermitian matrix can be decomposed in terms of its eigenvalues and 
eigenvectors \uj) as M = ^j\uj){uj\, where \uj){uj\ is a projector onto the 
vector \uj). We also call this the eigendecomposition of M. The support of M is 
the space spanned by all its eigenvectors with non-zero eigenvalue. 

The tensor product of an m x n-matrix A and an m' x n' matrix B is given 
by the mm' x nn'-matrix 



A^B^ 



( AnB 
A21B 

\ AniB 



AmB \ 

A2nB 



AnnB 



The tensor product is also defined for two vector spaces V and V. In particular, 
if the basis of the rf- dimensional vector space V is given by {\vi), . . . , \vd)} and 
the basis of the d'-dimensional vector space V is given by {\v[) , . . . , \v'^,)} , then 
W — V denotes the d • d'-dimensional vector space W with basis {I't'i) (8) l^j) | 

ie[d\,je[d']}. 

The direct sum of an m x n-matrix A and an m' x n' matrix B is given by 
the m + m' X n + n' matrix 



Two vector spaces V and V defined as above can also be composed in an analo- 
gous fashion yielding a, d + d' dimensional vector space W — V ®V', where any 
\w) G W can be written as 1^) = \v) © 1^;') for some \v) G V and \v') G V with 
\v) ® \v') = {vi, . . .,Vd,v[, . . .,v'^,) for \v) = {vi, ...,Vd) and \v') = {v[, . . .^v'^,). 

The trace of a matrix A is given by the sum of its diagonal entries Tt{A) = 
Y^iAi- Note that Tr(^ + B) = Tr{A) + Tr(5), and Tt{AB) = Tr{BA). If A is 
an Hermitian matrix, then Ty{A) is the sum of its eigenvalues. 

Finally, the rank of a matrix A is denoted as rank (A) and given by the maximal 
number of linearly independent columns (or rows) of A. 



A. 2. Definitions 
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A. 2 Definitions 

We now turn to the definitions relevant for our discussion of semidefinite pro- 
gramming. A Hermitian matrix M is positive semidefinite if and only if all of its 
eigenvalues are non-negative |HJ85l Theorem 7.2.1]. Throughout this text, we 
use M > to indicate that M is positive semidefinite. We know from jHJ85t 
Theorem 7.2.11]: 

A. 2.1. Proposition. For a Hermitian matrix M G C'^^'' the following three 
statements are equivalent: 

1. M >0, 

2. x'^ Mx > for all vectors x G C^, 

3. M = G^'G for some matrix G G C'^^'^. 

M is called positive definite if and only if all of its eigenvalues are positive: we 
have x'^Mx > for all vectors x G C^. We use M > to indicate that M is 
positive definite. We also encounter projectors, where a Hermitian matrix M is a 
projector if and only if = M. Note that this implies that M > 0. We say that 
two projectors Mi and M2 are orthogonal projectors if and only if M1M2 = 0. 

Furthermore, we use S'^ to denote the set of all Hermitian matrices, S'^ = 
{X G C'^^'^ I X = Xt}, and = {X e S'^ \ X > 0} for the set of all positive 
semidefinite matrices. A set T is a cone, if for any a > and T G T we have 
aT G T. A set T is convex, if for any a G [0,1] and Ti,T2 G T we have 
aTi + (1 — a)T2 G T. A set T is called a convex cone, if T is convex and a cone: 
for any ai,a2 > and Ti, T2 G T we must have that aiTi + ^2^2 ^ Note that 
iS^ is a convex cone: Let ai,a2 > 0, and A,Be 5^. Then for any x G C'' we 
have 

x^(aiy4 + a2B)x = ol\x'^ Ax + ol2x'^Bx > 0. 
Hence, aiA + a2B G iS^. The following will be of use in Chapter [sj 

A. 2. 2. Proposition. Let A,B e S"^. Then A > if and only if for all B > 
Tt{AB) > 0. 

Proof. Suppose that A > 0. Note that we can decompose B = J2j 
where for all j \j > since B > 0. Hence, Tt{AB) = '^iTr(y4|Mj)(Mj|) = 
Xj{uj\A\uj) > 0, since A>0. 

To prove the converse, suppose on the contrary that for all -B > we have 
Tt{AB) > 0, but A ^ 0. If y4 ^ 0, then there exists some vector \v) such that 
{v\A\v) < 0. Let B = \v){v\. Clearly, 5 > and Ti{AB) = {v\A\v) < which is 
a contradiction. □ 
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A. 3 Semidefinite programming 

Semidefinite programming is a special case of convex optimization. Its goal is to 
solve the following semidefinite program (SDP) in terms of the variable M & S'^ 

maximize Tr(CM) 

subject to Tr(AjM) = bi,i = 1, . . . ,p, and M > 

for given matrices C, Ai, . . . , Ap & S'^. The above form is called the standard form 
of an SDP, and any SDP can be cast in this fashion (possibly at the expense 
of additional variables) |B V04] . To gain some geometric intuition about this 
task, note that M > means that M must lie in the cone iS^. The constraints 
Tr{AiM) = hi determine a set of hyperplanes which further limit our possible 
solutions. A matrix M is called feasible, if it satisfies all constraints. 

An important aspect of semidefinite programming is duality. Intuitively, the 
idea behind Lagrangian duality is to extend the objective function (here Tr(CM)) 
with a weighted sum of the constraints in such a way, that we will be penalized 
if the constraints are not fulfilled. The weights then correspond to the dual 
variables. Optimizing over these weights then gives rise to the dual problem. The 
original problem is called the primal problem. For the above SDP in standard 
form, we can write down the Lagrangian as 

p 

L{M,Xi,...,Xp,K) = Tt{CM) + "^X,{bi-TT{AiM)) + Tt{KM) 

i=l 

= Tr((C-5^A,A, + K)M) + ^AA, 

i i 

where K > 0. The dual function is then 

g{Xu...Ap,K) = sup(Tr((C- VAiA, + K)M) + VAA 

\ I I 

\ oo otherwise 

From C Ai^i + fsT = and isT > 0, we obtain that K = -C + Ai A > 0. 
This gives us the dual problem as 

minimize ^ ■ Aj6j 
subject to XiAi > C, 

where the optimization is now over the dual variables Aj. 

We generally use d* to denote the optimal value of the dual problem, and p* 
for the optimal value of the primal problem. Weak duality says that d* > p*. 



A. 4- Applications 
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Let's see why this is true in the above construction of the dual problem. Let M^*) 
and {A-*''} be the optimal solutions to the primal and dual problem respectively. 
In particular, this means that M*-*^ and {A^^*^} must satisfy the constraints. Then 

d*-p* = ^AS*^6i -Tr(CM(*)) 



^ A;*^Tr(AiMW) - Tr(CMW) 

i 

Tr( (-C + 5^A;*)a,)mW ) >0, 



by Proposition 



A.2.2 



smce M(*) > and ^ • x[*^ Ai > C. An important conse- 



quence of weak duality, is that if we have d* = p* for a feasible dual and primal 
solution respectively, we can conclude that both solutions are optimal. If solutions 
exist such that d* = p*, we also speak of strong duality. We know from Slater's 
conditions |B V04] . that strong duality holds if there exists a feasible solution to 
the primal problem which also satisfies M > 0. 



A. 4 Applications 

In many quantum problems, we want to optimize over states, or measurement 
operators. Evidently, semidefinite programming is very well suited to this case: 
When optimizing over a state p, we ask that p > and Tr(p) = 1. When 
optimizing over measurement operators Mi, . . . , belonging to one POVM, we 
ask that Mj > for all j G [k] and ^ ■ Mj = I. Concrete examples can be found 



in Chapters pi and 11 
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C*-Algebra 



As C*-algebras are not usually encountered in computer science, we briefly state 
the most important results we will refer to for convenience. In particular, they 
help us understand the framework of post-measurement information we encoun- 
tered in Chapter [3] as well as the structure of bipartite non-local games in Chap- 
ter ini 

B.l Introduction 

Instead of starting out with the usual axioms of quantum states and their evolu- 
tions, any physical system can be characterized by a C*-algebra £^ of observables. 
States of this system are now identified purely by means of measurements of these 
observables. This starting point is rather beautiful in its abstraction: So far, noth- 
ing has been said how we can represent elements of this algebra. Yet, it turns out 
that all the usual axioms can be derived from this abstract structure: we can rep- 
resent observables as operators and states as vectors in a Hilbert space. In fact, 
any such algebra is isomorphic to an algebra of bounded operators on a Hilbert 
space. So why should we bother adopting this abstract viewpoint? It turns out 
that C*-algebras often make it easier to understand the fundamental differences 
between the classical and the quantum setting. If the algebra is abelian, we 
have a classical system. Otherwise, our system is inherently quantum. Commu- 
tativity leads to several nice structural properties of an algebra which have been 
exploited to answer many central questions in quantum information: When can 
we clone physical states? What information can be extracted without disturbing 
the system? That is, what part of a system is in fact classical and what is truly 
quantum? 

Here, we will mere scratch the surface of this formalism. In particular, we will 
focus on finite-dimensional C*-algebras only, which is all we will need in Chap- 
ters |3] and [6] For more information, consult any textbook on the topic |Tak79| 
IBR02^ IArv76] . We assume that the reader is familiar with the basic concepts such 
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as a Hilbert space and refer to |Con90j for an introduction. First, we need to in- 
troduce some essential definitions in Section IB.2[ We then examine states and 



observables, and tlieir familiar representation in a Hilbert space in Section B.3.2 



In Section |B.4[ we then concentrate on commutation: We will sketch how from 
commutation relations we in fact obtain a bipartite structure. It turns out that 
commutation relations also play an important role in determining which opera- 
tions leave states invariant. Looking at the structure of the problem, it turns out 
that in fact many problems ranging from cloning to post-measurement informa- 
tion and bipartite non-local games are quite closely related. 



B.2 Some terminology 

A Banach algebra ^ is a linear associative algebra[^ which is also a Banach space, 
with the property that for all A and i? G we have 

II AB \\<\\A nil B \\. 

The norm || A || of A is thereby a real number satisfying the usual requirements 
that for all A E ^ we have \\ A \\ > where \\ A \\ = if and only if A = 0, 
II aA II = all A II, II A + S II < II A II + II 5 II, and || AB || < M llll B \\. =s/ is 
called a *-algebra if it has the additional property that it admits an involution 
A — > At G ^/ such that for all A and B e the following holds: {A^'Y = A, 
{A + By = At + 5t, {aAy = aA\ and {AB^ = B^Al A C*-algebra is now an 
even more special case: in addition we also have that || A'' A \\ = \\ A \ f for all 
A G s^. This also gives us || At || = || A ||. In the following we will simply use the 
term "algebra" to refer to a C*-algebra. The trick is not to be intimidated. It is 
easier to have a more concrete picture in mind: For example, the algebra B(?i) of 
all bounded operators on a Hilbert space is a C*-algebra, when we take sums 
and products of operators in the usual way and take our norm to be the operator 
norm || A || = sup(|| Av \\ | u G 7i, || f || =1), where || ||^ = (vlv) for the inner 
product (-I") of the Hilbert space. This algebra is closed under all the usual 
operations such as addition, multiplication, and multiplication by scalar^ and 
the involution operation. This involution is now the adjoint operation A A\ 
which in physics is usually denoted by f instead of *. In some physics papers, you 
will therefore also find the name f-algebra instead. As in the example of post- 
measurement information, we are also often interested in the *-algebra generated 
by a given set of operators. Any operator X in a Hilbert space Ti. determines a 
C*-algebra =2/ which we will denote by ^ = (X) . This is the smallest C*-algebra 
which contains both X and the identity, i.e. (X) = Clxie.sg'^- What's included 
in (X)? Recall that ^ is closed under the adjoint operation so we definitely 

^ An associative algebra over the complex numbers is a vector space over the complex numbers 
with a multiplication that is associative. 

•^We will take the underlying field to be C. 
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have X"!". In addition, our conditions above imply that we will see all possible 
polynomials in X and X^. For example, X + X^ and XX^ are also elements of the 
algebra. We use (Xi, . . . ,Xk) to denote the C*-algebra generated by operators 
Xi, . . . ,Xfc, and (S) to denote the algebra generated by operators from the set 
S. 

If an algebra ^ satisfies ^ C we call ^ a subalgebra of £/. An algebra 
^ is unital if it contains the identity. We will always use I to denote the identity 
element. Since we restrict ourselves to the finite-dimensional case, we can assume 
that any C*-algebra is in fact unital |Tak79] . We will always take £^ to be unital 
here. An element A G ^ of a Banach algebra =$2/ is called invertible if there exists 
some A' & £^ such that AA' = A' A = I. Furthermore, for a C*-algebra the 
spectrum of A G ^ is given by Sp^{A) = {AgC|A — Alis not invertible}. 
Note that for any A G IB(7Y), this is just the spectrum of the operator relative to 
M(TC) in the usual sense. 

A left ideal in some algebra ^ is a subalgebra ^ C ^ such that for any 
elements B & ^ and A G ^ we have that AB G Similarly, ^ is called a right 
ideal if BA G A two-sided ideal or simply ideal has both properties: ^ is both 
a left and right ideal of An algebra ^ is called simple if its only ideals are {0} 
and ^ itself. An algebra ^ is called semisimple, if it can be written as the direct 
sum of simple algebras. To get a better feeling for what this actually means, it 
is perhaps again helpful to think of a particular representation of the algebra in 
terms of bounded operators on a Hilbert space. In terms of representations, being 
simple means that the representation is irreducible. Being semisimple then means 
that the representation is completely reducible: i.e. for the representation vr of 
A we can express 7r{A) as a sum of irreducible representations. We will examine 



this decomposition in more detail in Section B.4.1 



B.3 Observables, states and representations 
B.3.1 Observables and states 

A physical system is characterized by a set of measurable quantities, i.e. observ- 
ables. As mentioned above, we will assume that a physical system is in fact 
described by a C*-algebra of observables. As we will see below, we can take 
the observables to live in a Hilbert space H, and £/ C B(7i). Where do the states 
come in? In the language of C*-algebras, states are positive linear Junctionals on 
=2/ : A linear functional on an algebra is a function / : =2/ — > C such that for all 
A,B e we have f{A + B) = f{A) + f{B) and f{aA) = af{A) where a G C 
is a scalar. A linear functional is called positive if f{A) > for any A E ^ 
whenever A > 0. A state on ,2/ is a positive linear functional f on with the 
additional property that it has norm 1, i.e., /(I) = 1. The set of states is a 
convex set of linear functionals and its extreme elements are called pure states. 
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The set of all states on an algebra =2/ is also called the state space, often denoted 
by S{^). Any observable A G ^ in our algebra is uniquely characterized by 
the expectation of all states when we measure A: So the value of f{A) for all 
states / G S{^) in our state space uniquely characterizes any element A of our 
algebra. The converse is also true: the value of f{A) for all A E ^ completely 
characterizes the state /. To get a better feeling for this, it is again helpful to 
think of an algebra ^ C B(H). Given a vector v living in the Hilbert space Ti, 
we can construct a linear functional on ^ by letting f{A) = {v\Av). The same 
is true if we consider any abstract ^ and its representation vr on a Hilbert space, 
by letting f{A) = {v\7i{A)v) given v eH. 

B.3.2 Representations 

We now examine how an abstract C*-algebra can be represented by a set of 
operators on a Hilbert space, via the famous construction by Gelfand, Naimark 
and Segal. An account of this construction can be found in any standard textbook 
on C*-algebra |Tak79l IBR02t IArv76] . For completeness, we here give a heavily 
annotated, largely self-contained, explanation of the GNS construction. As it 
turns out, by the GNS construction, any C*-algebra is isomorphic to an algebra 
of bounded operators, a result which we will merely state here. When trying to 
find a representation of a C*-algebra s^, our goal is to find a pair (vr, 7i) where 
7i is a Hilbert space and it : ^ —>■ ^(7i) is a *-homomorphism which maps any 
element of our algebra to a bounded operator in the chosen Hilbert space. 

B.3.1. Theorem (GNS). Let £/ be a unital C* -algebra, and let f be a positive 
linear functional on . Then there exists a representation {'Hfj^f) of ^ with a 
Hilbert space Tif, a *-homomorphisn^'Kf : ^ M{T-Lf) and a vector G 7i/ 
such that for all A E ^ 

f{A) = {^f\nfiA)^j). 

Proof. First, we construct the Hilbert space Tif. Since =2/ is a Banach space, 
we can turn it into a pre-Hilbert spac^ by defining the positive semidefinite 
sesquilinear form 

{A\B)f = f{A^B), 

for all A, i? G £^ . Note that this form may be degenerat^ In order to eliminate 
this degeneracy, consider 

= {A I A G ^ and f{A^A) = 0}. 
■^A homomorphism that preserves the *. 

^We take a pre-Hilbert space to be a vector space with a positive semidefinite sesquiHnear 
form, and a strict pre-Hilbert space to be a vector space with an inner product. 

^Such a form is nondegenerate if and only if: {A\B) f — for all B ^ £/ imphes that A = 0. 
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Note that If is a linear subspace of =2/ since for all I, J E If we have /((J + 
J)t(/ + J)) = /(/tj) + /( Jtj) + /(/t J) + /( jt J) < 2v//(JtJ)/(/t/) = 0, where 
we used the Cauchy-Schwarz inequalitjj^ 

We now show that 2f is a left ideal of ^ : Let I Elf and A,B E . We then 
need to show that Al G X/. Indeed, from (A/)"'' (A/) > we have 

< j{{Al)\Al)) = f{PA^AI) < ^f{in)f{{MAiy{MAI)) = 0, 

where the inequality follows from the Cauchy-Schwarz inequality. 

The Hilbert space is then constructed by completing the quotient space 
jXf. This works as follows: Define the equivalence classes 

^A = {A\l\l Elf}. 

Note that these equivalence classes constitute a complex vector space on their 
own, where addition and scalar multiplication are defined via the following oper- 
ations inherited from . We have ^ a+b = ^ a + and ^olA = a^A- We can 
then define the inner product 

l,^A\^B) = kA\B)f = j{A^B). 

Note that ^ a and of course depend on /. One can verify that this a correct 
definition. Indeed, the inner product does not depend on our choice of represen- 
tative from each equivalence class: Let /i, /2 ^ Xj, and let A^B E £^ . Then 

/((A + h)\B + h)) = f{A^B) + f{A^h) + f{l\B) + f{llh) = f{A^B), 

where the last equality follows again from the Cauchy-Schwarz inequality. We 
can now obtain 7i/ by forming the completion of this space. It is well-known in 
functional analysis that any strict pre-Hilbert space can be embedded as a dense 
subspace of a Hilbert space in such a way that the inner product is preserved. 

Second, we must construct ttj. We first define the action of iTfiA) on the 
vectors constructed above as 

TTf{A)^B = *AB. 

Note that this definition is again independent of our choice of representative from 
each equivalence class since for all A,Be^ we have 

TTf{A)^B+I = ^A(B+/) = ^AB+A/ = ^AB = TTf{A)^B, 

since If is a left ideal of ^ and we already saw that AI E Xf. It remains to show 
that TT/ is a homomorphism and that TTf{A) is indeed bounded. To see that tt/ is 
a homomorphism, note that 

7r/(AS)^c = ^ABC = vr/(A)7r/(5)^c 



In this context the CS-inequahty gives us that for all A, B e ^ we have \f{A^B)\^ < 
f{A^A)f{B^B) 
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and 

Tif{\A + iB)-^c = ^XA+^B = X'^A + = (Avr/(A) + 77r/(5))^c, 
as desired. To see that vr/(y4) is bounded, consider 

\\7rf{A)^B\f = {^AB\'^AB) = f{{ABy{AB)) 

= f{B^A^AB) < II A ffiB^B) < \\ A f || f , 

where we used the fact that from B^A^AB < \\ A fB^B we have f{B^A^AB) < 

II A ff{B^B) (see for example jTakT9 j). 

Finally, we need to construct the vector Since ^ is unital we can take 
= ^i. This gives us ($/|7r/(y4)$/) = (^i|7r/(y4)^fi) = (^i|*a) = fi^'^A) = 

f{A). Note that nf{A)'i'i = ^f^, i.e., $/ = ^'i is cyclic for (7Y/,7r/). □ 

The resulting representation is irreducible if and only if / is pure |BR02t 
Theorem 2.3.19]. By considering a family of states F, and applying the GNS 
construction to all / G -F and taking the direct sum of representations it is then 
possible to show that: 

B.3.2. Theorem. (GN) Let he a unital C* -algebra. Then is isomorphic 
to an algebra of bounded operators on a Hilbert space Ti. 

B.4 Commuting operators 

£^ is abelian if and only if the physical system corresponding to this algebra is 
classical. Thus to distinguish the quantum from the classical problems, commu- 
tation will be central to our discussion. In fact, it leads to very nice structural 
properties which we already exploited in Chapter [3j First, however, we will need 
a bit more terminology. The commutator of two operators A and B is given by 
[A, B] = AB — BA. For quantum applications, two observables A and B are 
called compatible if they commute, i.e., = 0. Conversely, A and B are 

called complementary if 7^ 0. The center of an algebra ^ is the set of 

all elements in ^ that commute with all elements of i.e. 

3f^ = {z\z e £/,yA es^ ■.[Z,A]= 0}. 

It is easy to see that if £^ only has a trivial center, i.e. = {cl | c G C}, ^ is 
simple |Tak79] . If C B(7-^) for some Hilbert space 7i, then the commutant of 
^/ in B(H) is 

Comm(^/) = {X I X G M{H),^A es^ ■.[X,A] = 0}. 
We have 2f^ = £^n Comm(£/). 
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B.4.1 Decompositions 

In any of our problems, the interesting case is when the algebra ^ under con- 
sideration is in fact simple: that is, "fully quantum". In all problems we will 
consider, it will turn out that we can always break down the problem into smaller 
components by decomposing any ^ into a sum of simple algebrasj^ Luckily, such 
a decomposition always exists in the finite-dimensional case: 

B.4.1. Lemma. Let be a finite- dimensional C* -algebra. Then there exists a 
decomposition 

j 

such that s^j is simple. 

Proof. Let S'a be the center of . Clearly, since is finite-dimensional, S'a is 
a finite-dimensional abelian C*-algebra. Since is finite, there exist a finite set 
of positive linear functionals {/i, . . . , /m}, such that fj{AB) = fj{A)fj{B) and 
fj{A) G Sp^^(v4) for all A, B e JCifl For all 1 < A; < m, choose Uk G such 
that fj(Jlk) = 5jk for all j. Note that Hi, ... , 11^ are projectors and Ylij = ^ 
since for all j we have /j (11^11^) = /j (nfc)/j(n^) since S'a is abelian. Now we 
have 

m m 
jk=l j=l 

since for all A G we have IljAIIfc = IIjIIfcA = since Ilj, Ilj G ^a- Note that 
s^j = Uj^Uj only has a trivial center: its only elements that commute with any 
element of are scalar multiples of 11^. Hence, is simple. □ 

In fact, it is possible to show that |Tak79] : 

B.4.2. Corollary. Let ^ be a finite- dimensional C*- algebra Then there exists 
H and a decomposition 

j 

such that 

Note that this means that any element A E ^ can be written as A = ^j^^j 
where Ilj is a projection onto Hj. 



^Recall that we only consider the finite-dimensional case. 

^For a matrix algebra these are just the eigenvectors with equal eigenvalue 
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B.4.2 Bipartite structure 

As we saw in Chapter [3} commutation relations induce a beautiful structure 
captured by the Double Commutant theorem. We here sketch a proof of the parts 
of this theorem which is interesting for understanding non-local games: Consider 
a bipartite system Ti^ ® 7i^, and operators A = A® I^^l and B = I^^l (g) B with 
A e M{n^) and B e M{n'^). Clearly, [A, B] = since A and B act on two different 
subsystems. Curiously, however, we can essentially reverse the argument: A set 
of commutation relations gives rise to a bipartite structure itself! 

B.4.3. Lemma. Let Ti he a finite- dimensional Hilbert space, and let {X° G 
B(7^) I s G 5*} and {Y^^ G B(7i) | s G T}. Then the following two statements are 
equivalent: 

1. For all s e S , t e T, a e A and b e B it holds that [X^, F/] = 0. 

2. There exist Hilbert spaces Ti.^,Ti.^ such that Ti = Ti^ ® Ti^ and for all 
s e S, a e A we have G M{H^) and for all t e T , b e B we have 

G M{n^). 

This statement can easily be extended to more than two players. Here, we will 
only address the finite-dimensional case. 



First of all, recall that by Lemma 6.3.1 we can greatly simplify our problem 



for non-local games and restrict ourselves to C*-algebras that are simple. As we 



saw earlier in Lemma B.4.1 it is well known that we can decompose any finite 
dimensional algebra into the sum of simple algebras. We furthermore need that 
for any simple algebra, the following holds: 



B.4.4. Lemma. \Tak79^ Let H be a Hilbert space, and let C B(7Y) be simple. 
Then H = ® and = B(7^^) ® F. 



We are now ready to prove Lemma B.4.3 First, we examine the case where 



we are given a simple algebra G B(7Y), for some Hilbert space H,. We will need 
the following version of Schur's lemma. 

B.4.5. Lemma. Let Z be the center ofM{n). Then Z = {cl\c e C}. 

Proof. Let C E Z and let d = dim(7i). Let B = {Eij\i,j G [d]} be a basis for 
B(7i), where Eij = \i){j\ is the matrix of all O's and a 1 at position {i,j). Since 
C e Z and Eij G M{H) we have for all i G [d] 

CEii = EiiC. 

Note that CEu (or EuC) is the matrix of all O's but the zth column (or row) is 
determined by the elements of C. Hence all off diagonal elements of C must be 
0. Now consider 

C{Eij + Eji) = {Eij + Eji)C. 
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Note that C{E.ij + Eji) (or {Eij + Eji)C) is the matrix in which the ith and jth 
columns (rows) of C have been swapped and the remaining elements are 0. Hence 
all diagonal elements of C must be equal. Thus there exists some c G C such that 
C = cl. □ 



Using this Lemma, we can now show that 
B.4.6. Lemma. Let C G B(7^^ O Ti^) such that for all B G B(7^^) we have 

[C, (I^ ® 5)] = 
Then there exists an A e 1(7Y^) such that C = A®1^. 

Proof. Let dA = dim(H^) and cIb = dim(?-^'^). Note that we can write any C 

as 

/ . . . CldA ^ 



c 



\ CdAl 



CdAdA J 

B) = (I^ O B)C if and only if for all 



for d-A X dA matrices Aij. We have C(I'^ 
i,j G [dA] CijB = B Cii, i-e - [Cij, B] = 0. Since this must hold for all B G B(H^ 

a,; J 



we have by Lemma B.4.5 that there exists some Oj,- G C such that Cj. 



B 



Hence C = A (g) with A = [a. 



□ 



For the case that the algebra generated by Alice and Bob's measurement 



operators is simple, Lemma B.4.3 now follows immediately: 
Proof. [Proof of Lemma [BA3[ ]f is simple] Let ^ = {{X^}) C M{n) be the 
algebra generated by Alice's measurement operators. If ^ is simple, it follows 
from Le mma |B.4.4| that ^ = B(7^^) ®F for H = n^®n^. It then follows from 
Lemma [674.61 that for all t G T and b E B we must have G l(7i:^). 



□ 



Thus, we obtain a tensor product structure! Recall that Lemma 6.3.1 states 
that for non-local games this is all we need. 

In general, what happens if ^ is not simple? We now sketch the argument in 



the case the is semisimple, which by Lemma [B.4.1| we may always assume in the 
finite-dimensional case. Fortunately, we can still assume that our commutation 
relations leave us with a bipartite structure. We can essentially infer this from 
van Neumann's famous Double Commutant Theorem |Tak79l IBR02j . partially 
stated here. 

B.4.7. Theorem. Let ^ be a finite- dimensional C* -algebra. Then there exists 
Ti = Ti"^ ® Ti^ and a decomposition 



B 
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such that 



and 



(B.l) 



Proof. (Sketch) We already now from Lemma B.4.1 that ^ can be decomposed 
into a sum of simple algebras. Clearly, the RHS of Eq. B.l is an element of 
Comm(£/). To see that the LHS is contained in the RHS, consider the projection 
Ilf onto Tif. Note that 11^ G and thus for any X G Comm{^) we have 
[X, Hf] = 0. Hence, we can write X = ^■{Ilf®I^)X{Ilf®I^), and thus we can 
restrict ourselves to considering each factor individually. The result then follows 
immediately from Lemma B.4.6 □ 



If we have more than two players, the argument is essentially analogous, and 
we merely sketch it in the relevant case when the algebra generated by the play- 
ers's measurements is simple, since Lemma 6.3.1| directly extends to more than 
two players as well. Suppose we have N players Vi, . . . ,Vn and let H denote 
their joint Hilbert space. Let ^ be the algebra generated by all measurement 
operators of players Vi, . . . .Vn-i respectively. Then it follows from Lemma B.4.6 
and Lemma [BA4| that H = V}'-'^-^ o where ^ ^ B(7^i' -'^-i) and for all 
measurement operators M of player Vn we have that M G B(?i^). By apply- 



ing Lemma B.4.6 recursively we obtain that there exists a way to partition the 
Hilbert space into subsystems Ti = Ti^ ® . . . ® such that the measurement 
operators of player Vj act on W alone. 

In quantum mechanics, we will always obtain such a tensor product struc- 
ture from commutation relations, even if the Hilbert space is infinite dimen- 
sional |Sum90j . Here, we start out with a type-I algebra, the corresponding 
Hilbert space and operators can then be obtained by the famous GNS construc- 
tion |Tak79j . an approach which is rather beautiful in its abstraction. In quantum 
statistical mechanics and quantum field theory, we will also encounter factors of 
type-II and type-Ill. As it turns out, the above argument does not generally hold 
in this case, however, there are a number of conditions that can lead to a similar 
structure. Unfortunately, we cannot consider this case here and merely refer to 
the survey article by Summers |Sum90j . 



B.4.3 Invariant observables and states 

As we saw in Chapter |3} expressing our problem in terms of commutation relations 
enables us to exploit their structural consequences. Particularly interesting is 
also the fact that we can characterize the set of states which are invariant by a 
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quantum channel by means of such relations, repeated here for convenience sake: 



B.4.8. Lemma. (HKL) \HKL03^ Let A : H ^ H be a unital quantum channel 
with A(p) = Ylim ^mpV^, and let S be a set of quantum states. Then 

Vp G S, A(p) = p if and only if\/m\/p G S, [Vm, p] = 0. 

Let's see what this means for a specific unital channel A(p) = Ylm ^mP^m 
and a particular ensemble given by states pi, • • • ,Pn £ 'H. As in Chapter |3| we 
now consider the *-algebra generated by pi, . . . ,p„. Let £/ denote the resulting 



algebra. By Theorem B.4.7 we know that we can write 



and 

Comm(i^) = if ® 1(7^2). 

j 

Clearly, we have from the above that if A leaves our ensemble of states untouched, 
we must have Vm G Comm(^) for all m. Thus we know that Vm must be of the 
form I^^' ® Vj^^ on each factor. What does this mean operationally? Suppose 
we can write H = @j'Hj such that pk = J2j^jPk^j ^ach p^, where Uj is a 
projector onto Tij. That is, we can simultaneously block-diagonalize all pk- Then 
we know that Vm must be equal to the identity on each factor Tij, i.e. Vm must 
be of the form Cjllj for some Cj with \cj \ = 1. Another nice application of this 
viewpoint is an algebraic no-cloning theorem, as put forward by Lindblad |Lin99j . 



B.5 Conclusion 

Even though the sheer number of new definitions may appear daunting, we saw 
that the language of C*-algebras can help us get a grip on some of the fundamental 
properties of quantum states quite easily. Of course, the language of C*-algebras 
is not the most convenient one for all problems. Yet, there are many cases for 
which the language of C*-algebras is especially useful. As we saw earlier, one 
of these cases is when we consider measurements performed by two parties on a 
bipartite system. Another class of problems deals with questions of the following 
forms: Which operations leave a given set of states invariant? How much can we 
learn from a given state without disturbing it? What part of a state is "truly" 
quantum and which parts can we consider to be classical? How can we encode 
our states such that they are left untouched by a set of operations? 

For example, another application is the compression of quantum states. Koashi 
and Imoto consider how a quantum state can be decomposed into a quantum. 
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a classical and a redundant part to aid compression. In their paper, they pro- 
vide an algorithm which in fact allows us to compute (with a lot of pain) the 
decomposition of an algebra and its commutant algebra |KI02] . It is probably 
not so surprising by now that other tasks involving invariance under operations 
are also closely related: Choi and Kribs |CK06j have phrased the principle of 
decoherence-free subspaces in terms of what they call algebraic noise commu- 
tant formalism. In this text, we have exploited C*-algebras to investigate the 
use of post-measurement information in Chapter [3j As we saw in Chapter [8} 
the question of how much post-measurement information is needed is in fact 
closely related to how much entanglement we need to succeed in non-local games. 
Whereas these two problem may appear unrelated at first sight, their structural 
similarities show their close connection. Likewise, these similarities also enabled 
us in Chapter |6]to investigate how much we can really gain by receiving additional 
post-measurement information. Finally, the close connection of C*-algebras and 
Clifford algebras discussed in Appendix [C] was one of the factors that led us to 
discover the uncertainty relations of Chapter |4j Hence, C*-algebras sometimes 
help us to understand the similarities between problems, and aid our intuition. 
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Similar to C*-algebra, Clifford algebra plays little role in computer science even 
though it has recently found numerous applications in the area of computer graph- 
ics. Here, we informally summarize the most important facts we need in this text. 
Our aim is merely to provide the reader with some intuition underlying our un- 
certainty relation in Chapter |4| and refer to |Lou01j for an in-depth introduction. 

C.l Introduction 

Clifford algebra is closely related to C*-algebra. Yet, it exhibits many beautiful 
geometrical aspects which remain inaccessible to us otherwise. In particular, we 
will see that commutation and anti-commutation carries a geometric meaning 
within this algebra. 

For any integer n, the unital associative algebra generated by ri,...,r2n, 
subject to the anti-commutation relations 

r r • = — r r- = i 

is called Clifford algebra. It has a unique representation by Hermitian matrices on 
n qubits (up to unitary equivalence) which we fix henceforth. This representation 
can be obtained via the famous Jordan- Wigner transformation |JW28j : 

Taj = <^^"'^®fx,®r("-^'), 

for j = 1, . . . ,n. A Clifford algebra of n generators is isomorphic to a C*-algebra 
of matrices of size 2"/2 X 2'^/^ 

for n even and to the direct sum of two C*-algebras 
of matrices of size 2("^i)/2 x 2(""i)/2 ^ jTsi87j . 
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C.2 Geometrical interpretation 

The crucial advantage of the Chfford algebra is that we can view the operators 
Fi, . . . , as 2n orthogonal vectors forming a basis for a 2n- dimensional real 
vector space M^". Each vector a = (ai, . . . , a2„) G M^" can then be written as 
linear combination of basis elements as a = J2j ^j^j- The Clifford product of two 
vectors a and b is given by 

ab = a ■ b + a A b, 

where a ■ b = ajbjl is the inner product of two vectors and a A 6 is the 
outer product, as given below. We will write scalars as scalar multiples of the 
identity element whose matrix representation is simply the identity matrix. If we 
represent Fi, . . . , using the matrices from above, then the Clifford product is 
simply the matrix product of the resulting matrices. Hence, we will now adopt 
this viewpoint with the representation in mind. Note that the Clifford product 

satisfies = \a\H = J^j^]^' where \a\ = \\a\\2 = \J^j (^"j is the 2-norm of the 
vector a which we refer to as the length of a vector. 



C.2.1 Inner and outer product 

We can see immediately from the definition of the Clifford product that the 
inner product of two vectors a, 6 e M^" as depicted in Figure C.l is given by 



a ■ b 



cos V'l, and can be expressed as: 



{a,b} 



1 

2' 



+ ba). 




Figure C.l: Two vectors 



Hence, anti-commutation takes a geometric meaning within the algebra: two 
vectors anti-commute if and only if they are orthogonal! 
Similarly, we can write 

a A 6 = - [a, 6] = -{ab — ba). 
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Geometrically, this means that two vectors are parallel if and only if they com- 
mute. 

To gain some intuition, let's look at the simple example of M^: Here, we have 
a = aiTi + a2T2 and b = biTi + b2T2- The Clifford product of a and b is now 
given as 

ab = '^ajbkTjTk = {aibi + 0262)! + (01^2 - bia2)TiT2. 

jk 



The element a Ab = (0162 — bia2)TiT2 represents the oriented plane segment of 



the parallelogram determined by a and b in Figure C.2 below. The area of this 
parallelogram is exactly |a A 6| = \a1b2 — &ia2|- Note that we have a Ab = —bAa, 



as shown in Figure |C.3[ Thus a Ab not only gives us the area but also encodes a 
direction. 





Figure C.2: a Ab 



Figure C.3: bAa 



In higher dimensions, the elements generated by a A 6 A c etc similarly corre- 
spond to oriented plane or volume segments. Note that we have Fj A Tj = FjFj 
for all basis vectors Fj and F,-. We will refer to products of k elements of the form 



. . . Fj^ as k-vectors. 



C.2. 2 Reflections 

The power of the Clifford algebra mainly lies in the fact that we can express 
geometrical operations involving any A;-vector in an extremely easy fashion using 
the Clifford product. Here, we will only be concerned with performing operations 
on 1-vectors. 



Consider the projection of a vector a onto a vector m as depicted in Figure C.4 



Let a\\ be the part of a that is parallel to m, and a± the part of a that lies 
perpendicular to m. Clearly, we may write a = a\\ + a±. Using the definition of 
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Figure C.4: Projections onto a vector 



the Clifford product, we may write 

an = \a\ cosip 



m 

\m\ 



{a ■ m)m\ 



where we define = m/\m\'^ to be the inverse of m. Indeed, we have mm^ = I. 
If m is a unit vector, then in terms of the matrix representation given above 
is the adjoint of the matrix m. For the product of two vectors we define 
(nm)"'' = m^n"^ . We can also write 

a± = a — = a — (a ■ m)m^ = {am — (a ■ m))m^ = (a A m)m) . 

We can now easily determine the reflection of a around the vector m, as depicted 



in Figure C.5 



t = an — a_|_ = (a ■ m — a A m)rn^ = (m ■ a + m A a)m^ 



mam 



Consider n = 1. Then the 2-dimensional real vector space is given by basis vectors 



Fi = X and F2 = Z. 
depicted in Figure 



2.1 



ndeed, this is the familiar XZ-plane of the Bloch sphere 
Consider the Hadamard transform H = {X + Z^j^2. 
Figure C.7 demonstrates that if plays exactly this role: it reflects X around the 
vector H to obtain HXH = Z. Given t, we can also easily derive the vector 
obtained by reflecting a around the plane perpendicular to m (in 0), as shown in 
Figure |C.6 



-t 



-mam 



t 



C.2.3 Rotations 



From reflections we may now obtain rotations as successive reflections. Suppose 
we are given vectors m and n as shown in Figure C.8 To rotate the vector a by 



C.2. Geometrical interpretation 



209 




Figure C.5: Reflection of a around m 



an angle tliat is twice tlie angle between m and n, we now first reflect a around 
b to obtain b = mam^ . We then reflect b around n to obtain 



n 



bn^ 



nmarn^n^ 



RaR\ 



where we let R = nm. As desired, R rotates a by an angle of 2{iIj + 

We can easily convince ourselves that R does not affect any vector d that is 
orthogonal to both n and m. 

RdR^ = nmdrn^n'^ = dnmm^n^ = d, 

where we have used the fact that two vectors anti-commute if and only if they 
are orthogonal. Note also that RR^ = I. It can be shown that if is a fc-vector, 
then RVR^ is also a fc- vector for any rotation R |DL03j . Indeed, this is easy to 
see, for the fc-vector formed by orthogonal basis vectors: 



R{T,,A...ATJR^ = R{T,,...T,JR^ = RT,,R^ 

= RTi^R^ A . . . A RTi^R\ 



RTi.R^ 



where we have used the fact that rotations preserve the angles between vectors. 
We will need this fact in our proof in Chapter |4} 

Clifford algebra offers a very convenient way to express rotations around ar- 
bitrary angles in the plane m An |Lou01j . In Chapter |4| however, we will only 
need to understand how we can find the rotation R that takes us from a given 
vector g = J2j 9j^j with length \g\ to the vector \g\Ti. Indeed, our strategy works 
for finding the rotation of any vector to a target vector t of the same length. 



Consider Figure C.9 
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Figure C.7: Hadamard transform as reflection 



C.2. Geometrical interpretation 
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For convenience, we first normalize g to obtain the vector 

1^1 

We then compute the vector m! lying exactly half-way between g' and our target 
vector Fi and normalize it to obtain 

g' + T^ g' + Tr 

m 



\g' + T,\ ^2{l + g,/\g\) 

We now first reflect g' around the plane perpendicular to the vector m to obtain 
—mg'm, followed by a reflection around the plane perpendicular to the target 
vector Fi: 

— Fi(— m(yf'm)Fi = Timg'mTi = Rg R\ 

with R = Tim, where we have used the fact that both Fi and m have unit length 
and hence m = m) and Fi =T\. Evidently, 

Rg' = Timg' = ^^T^ig' + Ti)g' 

Ti{g'^ + Tig') = , , ^ , (Fx + g') = m, 



and hence 

We then also have that 



\g' + Ti\ \g' + T 

Rg' R^ = mmTi = Fi. 



RgR^ = \g\Rg'R^ = \g\Ti 
as desired. We will employ a similar rotation in Chapter |4} 



C.3 Application 

Here, the primary benefit which we gain by considering a Clifford algebra, is that 
we can parametrize matrices in terms of its generators, and products thereof. 
Suppose we are given some matrix 

where lU form a basis for the dxd complex matrices, such that for all j ^ f 
we have Ti{BjBj>) = 0, Tr(5j) = 0, B] = I, and bj G M. We saw in Chapter Q 
how to construct such a basis for = 2" based on mutually unbiased bases. In 
fact, this gives us the well-known Pauli basis, given by the 2^" elements of the 
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form Bj = B}j ® . . . ® 5" with i?j G {I, ax^CFy^az}- When solving optimization 
problems within quantum information, we are often faced with the following 
problem: When is p a quantum state? That is, what are the necessary and 
sufficient conditions for the coefficients hj such that p > 0? 

For d = 2, this is an easy problem: We can write p = (I + ^^gj^ '"i'^i)/^ 
where r = {rx,ry,rz) is the Bloch vector we encountered in Chapter [2] We have 
that p > if and only if —I < rjaj < I, i.e. 



I < I. 



Thus, we have p > if and only if Yljf'j < 1- Geometrically, this means that 
any point on or inside the Bloch sphere corresponds to a valid quantum state 
as illustrated in Figure |2.1[ Sadly, when we consider d > 2, our task becomes 
considerably more difficult. Clearly, since Tr(p^) < 1 for any quantum state, we 
can always say that 

Tr(p') = I, ( Tr(I) + 2 6,Tr(i?,) + &.VTr(5,5/) ) 



< 1, 



giving us Ylj < d — 1. Unfortunately, this condition is too weak for almost 
all practical applications. There exist many matrices which obey this condition, 
but nevertheless do not correspond to valid quantum states. Luckily, we can say 
something much stronger using the Clifford algebra. 

Let's consider the operators Fi, . . . , F2n themselves. Evidently, each operator 
Fj has exactly two eigenvalues ±1: Let \ri) be an eigenvector of Fj with eigenvalue 
A. From F| = I we have that = 1. Furthermore, we have Fj(Fj|r7)) = —XTjlrj). 
Thus, if A is an eigenvalue of Fj then so is —A. We can therefore express each Fj 
as 

F- = F° — F^ 

where F° and F^^ are projectors onto the positive and negative eigenspace of Fj 
respectively. Furthermore, note that we have for all i,j with i j 

Tr(F,F,) = ^Tr(F,F, + F,F,) = 0, 
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that is all such operators are orthogonal with respect to the Hilbert-Schmidt inner 
product. We now use the fact that the collection of operators 

I 

r, (1 < J < 2n) 
Tj-fc := iVjVk {I <j < k < 2n) 

:= r,r,r, {i<j<k<i<2n) 

ri2...(2n) '■= ^rir2 ■ ■ ■ ^2n ='■ To 

forms an orthogonal basis for the d^d matrices with d = 2"- |Die06j . By counting, 
the above operators form a complete operator basis with respect to the Hilbert- 
Schmidt inner product. In fact, by working out the individual basis elements 
with respect to the representation above, we see that this basis is in fact equal 
to the Pauli basis. Notice that the products with an odd number of factors are 
Hermitian, while the ones with an even number of factors are skew-Hermitian, so 
in the definition of the above operators we introduce a factor of i to all with an 
even number of indices to make the whole set a basis for the Hermitian operators. 
Hence we can write every state p G 7i as 



P 



with real coefficients gj, gjk, ■ ■ ■■ 

It is clear from the above that if we transform the generating set of Tj linearly, 



K = J2^3kr 



31 

3 



then the set {F'^, . . . , T^^} satisfies the anti-commutation relations if and only if 
{Tjk)jk is an orthogonal matrix: these are exactly the operations which preserve 
the inner product. In that case there exists a matching unitary U{T) G B(7i) 
which transforms the operator basis as 

r;. = U{T)TjU{T)l 

As an importance consequence, it can be shown |Die06 ] that any operation U{T) 
transforms the state p as 



U{T)pUiTy ^ 



^ (i + T((?) + 5^4r,fc + ... + (7;ro 

V j<k 



C.4- Conclusion 
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where we write T{g) to indicate the transformation of the vector g = Ylj 9j^j 
by T. For example, for the rotation R constructed earher, we may immediately 
write 

RpR^ = ^ ( I + RgR^ + J2 93kRT,kR^ + . . . + g^RToR^ ) , 

= Ul+\g\r, + J29-k^jk + ... + 9'oro], 

\ j<k J 

Thus, we can think of the 1-vector components of p as vectors in a generalized 
Bloch sphere. In Chapter |4| we will extend this approach to include the Fq as an 
additional "vector" . There, we use these facts to prove a useful statement which 
leads to our uncertainty relations: 



C.3.1. Lemma (Lemma [4.3.2[ ). For any state p, we have Y.jd'j ^ 1- 



With respect to our discussion above, this is indeed a generalization of what 
we observed for the Bloch sphere in d = 2. Note that we obtain a whole range 
of such statements as we can find different sets of 2n anti-commuting matrices 
within the entire set of 2^" basis elements above. 



C.4 Conclusion 

Luckily, we made some progress to give a characterization of quantum states 
in terms of their basis coefficients that was sufficient to prove our uncertainty 
relation from Chapter |4j Parametrizing states using Clifford algebra elements 
provides us with additional structure to characterize quantum states that is not 
at all obvious when looking at them from a linear algebra point of view alone. 
We hope that parametrizing states in this fashion could enable us to make even 
stronger statements in the future. It is also interesting to think about standard 
quantum gates as geometrical operations within the Clifford algebra. Indeed, this 
is possible to a large extent, but lies outside the scope of this text. 

Clearly, the subspace spanned by the elements Fi, . . . , F2n plays a special role. 
Note that when considering the state minimizing our uncertainty relation, only 
its 1-vector coefficients played any role. The other coefficients do not contribute 
at all to the minimization problem. It is interesting to observe that we have in 
fact already seen a similar effect in Chapter [6j Recall that we used Tsirelson's 
construction to turn vectors a, 6 G M^" back into observables by letting A = 
J2j C'j^j and B = J2j bj^j- The optimal strategy of Alice and Bob could then be 
implemented using the maximally entangled state of local dimension d = 2^ 
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where gj = ±1 and we used the Rj simply as a remainder term. Clearly, the 
coefficients rj do not contribute to the term (g) B\^) at all, and only the 
coefficients gj matter. However, in dimension = 2" we have only 2n such terms. 
Curiously, the remaining terms are only needed to ensure that p > 0. Numerical 
feasibility analysis using scmidcfinitc programming for = 4 and d = 8 reveals 
that we do indeed need to take the maximally entangled state, and cannot omit 
any of the remaining terms. 
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s{n) 


set of states on Ti. 






[AB] 


commutator AB — BA 








anti-commutator AB + BA 






Comm(£/) 


commutant of the algebra ^ 
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center of the algebra ^ 
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algebra generated hj Ai, . . . , A^ 
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(5) 


algebra generated by operators from the set S 
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trace distance of p and a 
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fidelity of p and a 
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d{X\p) 


distance from uniform of r.v. X given state p 
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Hp) 


binary entropy 




36 




H{X,Y) 


joint entropy of X and Y 
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H{X\Y) 


conditional entropy of X given Y 
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J(X, Y) 


mutual information of X and Y 
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1c{pab) 


classical mutual information of pab 
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accessible information of an ensemble S 
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Sip) 


von Neumann entropy of the state p 
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xip) 


Holevo quantity 
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min-entropy 




37 




H2{X) 


collision entropy 




37 




H2{pab\pb) 


collision entropy of pab given pB 
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Samenvatting 



Quantum computing heeft een grote invloed op cryptografie gehad. Met de ont- 
dekking van Shors quantum algorithme voor het factoriseren van grote getallen 
kunnen opeens bijna alle klassieke systemen gebroken worden zodra een quantum 
computer is gebouwd. Het is daarom belangrijk om andere manieren te verzinnen 
om veilige cryptografische protocoUen te kunnen implementeren. Dit proefschrift 
draagt ertoe bij om zowel de fysieke beperkingen, als ook de mogelijkheden van 
cryptographic in een quantum omgeving beter te begrijpen. Wij bekijken eerst 
twee aspecten die een cruciale rol spelen voor de veiligheid van quantum proto- 
coUen: onzekerheidsrelaties en quantum entanglement. Hoe kunnen wij goede 
onzekerheidsrelaties voor een groot aantal meetinstellingen vinden? Wat is het 
effect van entanglement op klassieke protocoUen? En, welke beperkingen legt 
entanglement quantum protocoUen op? Ten slotte, kunnen wij deze beperkingen 
omzeilen onder realitische aanames? 



Informatie in quantum toestanden 

In dit deel houden wij ons bezig met het extraheren van informatie uit quan- 
tum toestanden. Een van de meest fundamentele doelen is het onderscheiden 
van quantum toestanden. Gegeven een set van mogelijke toestanden, wat is de 
toestand die wij op dit moment voor handen hebben? Wij bestuderen een vari- 
ant van dit problccm dat van belang is voor de veiligheid van protocoUen in het 
bounded quantum storage model. We ontvangen na de meting, of meer algemeen 
nadat een quantum memory bound toegepast wordt, nog extra informatie. Wij 
introduceren een algemeen algebraisch raamwerk, dat het mogelijk maakt om dit 
problccm voor clkc set van toestanden op te lessen en geven twee voorbeelden. 

Vcrdcr ondcrzockcn wij cntropische onzekerheidsrelaties, die een andere manier 
vormen om Heisenberg's onzekerheids principe te beschrijven. Dit is meestal 
een beter manier om "onzekerheid" te beschrijven aangezien de ondergrens niet 
afhangt van een bepaald toestand maar alleen van de metingen zelf. Entropische 
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onzekerheidsrelaties hebben recentelijk meer invloed gekregen binnen het veld 
van quantum cryptografie in het bounded storage model, waar de veiligheid van 
protocoUen uiteindelijk afhangt van zulke onzekerheidsrelaties. Dus nieuwe onzek- 
erheidsrelaties kunnen tot nieuwe protocollen leiden. 

Onzekerheidrelaties zijn bekend voor twee oi d+1 wederzijds "unbiased mea- 
surements" . Wij bewijzgn eerst nauwe entropische onzekerheidsrelaties voor metin- 
gen met een groot aantal "mutually unbiased bases" (MUBs) in dimensionen 
d — s^. Wij laten ook zien dat MUBs geen goede keuze zijn voor "locking" van 
klassieke informatic in quantum toestanden; ook als wij meer dan twee van zulke 
MUBs gebruiken nccmt het locking effect niet toe. 

Onze resultaten laten zien dat men heel voorzichtig dient te zijn om "maxi- 
maal incompatibele" metingen als wederzijds "unbiased" te veronderstellen. Maar 
welke eigenschappen moeten een meting hebben om heel 'incompatibel' te zijn? 
Gelukkig kunnen wij zulke eigenschappen vinden voor metingen met twee uitkom- 
sten. Voor anti-commuterende metingen die generatoren van een Clifford algebra 
vormcn, bewijzen wij optimale onzekerheidsrelaties voor de Shannon entropie, en 
bijna optimale relaties voor de collision entropie. Onze resultaten kunnen worden 
toegepast op quantum cryptographic. 

Entanglement 

In dit deel onderzoeken wij quantum entanglement. AUereerst, kijken wij naar 
Tsirelson inequalities. Wij laten zien hoe wij de optimale strategic voor spelletjes 
met twee uitkomsten met behulp van semidefinite programming kunnen bepalen. 
Als voorbeeld laten wij een upper bound voor de gegeneraliseerde CHSH ongeli- 
jkheid zien. 

Verder laten wij zien hoe klassieke interactieve bewijssystemen met twee spel- 
ers (provers) kunnen veranderen als dc spclcrs entanglement kunnen delen. Dit is 
een voorbeeld van hoc dc veiligheid van klassieke systcmcn kan veranderen, ook 
al is het alleen mogelijk een beperkt soort quantum operaties uit tc vocrcn: Het 
bewijssysteem wordt significant verzwakt ook al hebben de spelers geen toegang 
tot een quantum computer. 

Applicaties voor de cryptografie 

In deel IV onderzoeken wij de consequenties van onzekerheidsrelaties en entan- 
glement in quantum systcmcn voor de cryptografie. Traditioneel houdt de cryp- 
tografie zich vooral bczig met het veilig versturen van berichtcn. Maar met de 
opkomst van het internet zijn nieuwe taken van belang geworden. Wij willen 
protocollen creeren voor het elektronisch stemmen, online veilingen, onderteke- 
nen van contracten en vele andere applicaties, waarbij de deelnemers elkaar niet 
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vertrouwen. De focus ligt daarbij op twee primitieven, met behulp waarvan wij al 
deze problemen kunnen oplossen: bit commitment en oblivious transfer. Klassieke 
protocoUen voor deze primitieven zijn gebasccrd op computationele aanames die 
met behulp van een quantum computer gebrokcn kunnen worden. Helaas is het 
bckcnd dat zclfs in dc quantum wcrcid dczc primitieven nict helcmaal zonder 
aannames geimplcmcntccrd kunnen worden. Wat hopen wij dan wel te kunnen 
bereiken? 

Als bit commitment onmogelijk is, kunnen wij misschicn dc taak ccn klcin 
bcctjc aanpassen en dan nuttige protocoUen vindcn? Hicr bckijken wij commit- 
ments van een hele string van bits tegelijk, waar de tegenstander niet is beperkt. 
Als bit commitment onmogelijk is, is perfecte string commitment ook niet mo- 
gelijk. Maar wij geven elke tegenstander de mogelijkheid om een beetje vals te 
spelen. Wij geven een raamwerk voor een familie van string commitment pro- 
tocoUen. Hoe wij informatie meten blijkt een cruciale rol te spelen; voor een 
heel stcrke maat van informatie latcn wij zien dat zelfs deze imperfecte string 
commitments niet mogelijk zijn. Maar voor een zwakkere manier om informatie 
te meten construeren wij toch niet-triviale protocoUen die klassiek niet mogelijk 
zijn. 

Ten slotte laten wij zien dat bit commitment en oblivious transfer wcl mo- 
gelijk worden, indien wij de tegenstander rcalistische beperkingen opleggen. Wij 
introduceeren het noisy-storage model, dat nauw is gerelateerd aan het bounded- 
storage model. Wij laten zien dat het mogelijk is om oblivious transfer te imple- 
menteren, zolang de tegenstander qubits niet zonder fouten kan opslaan. Gegeven 
de status van de experimentele mogelijkheden vandaag de dag, lijkt dit ccn rcal- 
istische aanname, maar is afhankelijk van de implementatie moeilijk te bcpalcn. 
Dezelfde problemen die het ook zo moeilijk maken om een quantum computer te 
bouwen komen ons hier ten goede! 



Summary 



Quantum computing had a profound impact on cryptography. Shor's discovery 
of an efficient quantum algorithm for factoring large integers implies that nearly 
all existing classical systems based on computational assumptions can be bro- 
ken, once a quantum computer is built. It is therefore imperative to find other 
means of implementing secure protocols. This thesis aims to contribute to the 
understanding of both the physical limitations, as well as the possibilities of cryp- 
tography in the quantum setting. To this end, we first investigate two notions 
that are crucial to the security of quantum protocols: uncertainty relations and 
entanglement. How can we find good uncertainty relations for a large number 
of measurement settings? How does the presence of entanglement affect classi- 
cal protocols? And, what limitations does it impose on implementing quantum 
protocols? Finally, can we circumvent some of those limitations using realistic 
assumptions? 



Information in Quantum States 

In this part, we start by investigating how to extract information from quan- 
tum states. One of the most basic tasks is the discrimination of quantum states. 
Given an ensemble of known quantum states, which one do we hold in our hands? 
We study a variant of this problem which is of central importance for the secu- 
rity of protocols in the bounded-quantum-storage model. Here, we are given 
additional information about the state after the measurement or, more generally, 
after a quantum memory bound is applied. We prove general bounds on the suc- 
cess probability which answer in the negative the question whether deterministic 
privacy amplification is possible in all known protocols in the bounded-quantum- 
storage model. To this end, we introduce a general algebraic framework which 
allows us to solve this problem for any set of states and provide two exphcit 
examples. 
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We then turn to examine entropic uncertainty relations, which are an alter- 
native way to state Heisenberg's uncertainty principle. They are frequently a 
more useful characterization, because the "uncertainty" is lower bounded by a 
quantity that does not depend on the state to be measured. Recently, entropic 
uncertainty relations have gained importance in the context of quantum cryp- 
tography in the bounded-storage model, where proving the security of protocols 
ultimately reduces to bounding such relations. Proving new entropic uncertainty 
relations could thus give rise to new protocols. Such relations are known for two 
or d + 1 mutually unbiased measurements. We prove tight entropic uncertainty 
relations for measurements in a large number of specific mutually unbiased bases 
(MUBs) in square dimensions. In a similar way, we show that such MUBs are 
unsuitable for locking classical correlations in quantum states: Using 2 or all of 
them does not increase the locking effect. 

Our result shows that one needs to be careful about thinking of "maximally 
incompatible" measurements as being necessarily mutually unbiased. But what 
properties do measurements need to have in order to give strong uncertainty 
relations? We find very strong uncertainty relations from the generators of a 
Clifford algebra. In particular, we prove that for k such anti-commuting observ- 
ables Xi, . . . , we obtain optimal uncertainty relations for the Shannon entropy 
and nearly optimal relations for the collision entropy. Our results have immediate 
applications to quantum cryptography in the bounded-storage model. 



Entanglement 

In this part, wc investigate the intriguing notion of quantum entanglement. We 
demonstrate how to find the optimal quantum strategies for correlation inequal- 
ities where each measurement has exactly two outcomes using semidefinite pro- 
gramming. As an example, we prove a tight upper bound for a well-known gen- 
eralized CHSH inequahty. 

Furthermore, we consider how a classical two-prover interactive proof system 
changes if the provers are allowed to share entanglement. In this setting, a polyno- 
mial time bounded verifier is allowed to ask questions to two unbounded provers, 
who are trying to convince the verifier of the validity of a specific statement, even 
if the statement is false. The provers may thereby agree on any strategy ahead 
of time, but can no longer communicate once the protocol starts. Surprisingly, 
it turns out that, when the provers are allowed to share entanglement, it is pos- 
sible to simulate two such classical provers using a single quantum prover. This 
indicates that entanglement among provers truly weakens the proof system, and 
provides an example of how classical systems can be affected, even if we only 
allow a very limited set of quantum operations. 
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Applications to Cryptography 

In this part, we consider the consequences of uncertainty relations and entan- 
glement in quantum systems to cryptography. Traditional cryptography is con- 
cerned with the secure and reliable transmission of messages. With the advent 
of widespread electronic communication and the internet, however, new crypto- 
graphic tasks have become increasingly important. We would like to construct 
secure protocols for electronic voting, online auctions, contract signing and many 
other applications where the protocol participants themselves do not trust each 
other, main focus is on two primitives, which form an important building block 
for constructing multi-party protocols: bit commitment and oblivious transfer. 
Classical protocols for such problems are usually based on computational assump- 
tions which do not stand up to a quantum computer. Unfortunately, it has been 
shown that even quantum computers do not help in this case and that perfect 
quantum bit commitment and oblivious transfer are impossible. In the face of 
such negative statements, what can we still hope to achieve? 

Given that perfect bit commitment is impossible, perhaps we can alter the 
task slightly and obtain useful protocols? Here, we considered commitments to 
an entire string of bits at once, when the attacker has unbounded resources at 
his disposal. Evidently, if perfect bit commitment is impossible, perfect string 
commitment is also impossible as well. However, we showed that we can ob- 
tain non-trivial quantum protocols, where the participants have a small ability 
to cheat. To this end, we introduced a framework for the classification of string 
commitment protocols. In particular, we proved that the measure of information 
is crucial to the security: For a very strong notion of security, we showed that 
even slightly imperfect quantum string commitments are also impossible. Never- 
theless, we showed that for a weaker measure of information we can indeed obtain 
nontrivial protocols, which are impossible in a classical world. 

Luckily, it turns out that we can implement oblivious transfer if we are willing 
to assume that storing qubits is noisy. We introduce the model of noisy quantum 
storage, which is similar to the model of bounded quantum storage. Here, how- 
ever, we consider an explicit noise model inspired by present day technology. If 
the honest parties can perform perfect quantum operations, then we show that 
the protocol is secure for any amount of noise. In case the honest participants are 
only able to perform noisy operations themselves, we analyze a practical protocol 
that can be implemented using present-day hardware. We show how to derive 
explicit tradeoffs between the amount of storage noise, the amount of noise in the 
operations performed by the honest participants and the security of the protocol. 
Here, the very problem that makes it so hard to implement a quantum computer 
can actually be turned to our advantage. 
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